Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EIuz8Bk9kGav2ix.exe

Overview

General Information

Sample name:EIuz8Bk9kGav2ix.exe
Analysis ID:1567401
MD5:2e69c1a7d2a987f925aaad945c2ce2b2
SHA1:767d326371a5e8b3e3c85d5a87d3e928364b0e20
SHA256:123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c
Tags:exeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EIuz8Bk9kGav2ix.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
    • powershell.exe (PID: 5296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7384 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 4248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3868 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • EIuz8Bk9kGav2ix.exe (PID: 7208 cmdline: "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • iexplore.exe (PID: 7236 cmdline: "c:\program files (x86)\internet explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)
  • RNJBFdvJTXAE.exe (PID: 7348 cmdline: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
    • schtasks.exe (PID: 7556 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp6853.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RNJBFdvJTXAE.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • RNJBFdvJTXAE.exe (PID: 8012 cmdline: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • RNJBFdvJTXAE.exe (PID: 8020 cmdline: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • RNJBFdvJTXAE.exe (PID: 8028 cmdline: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\yqpgyoyihvmyd" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • RNJBFdvJTXAE.exe (PID: 8044 cmdline: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\bkvrzhjjvdednbzxp" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • RNJBFdvJTXAE.exe (PID: 980 cmdline: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\tplymmqtvomskscmxqb" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • RNJBFdvJTXAE.exe (PID: 5016 cmdline: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\sebqkwyzlxhlsxrpokduuzlb" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • RNJBFdvJTXAE.exe (PID: 1620 cmdline: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • RNJBFdvJTXAE.exe (PID: 5076 cmdline: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv" MD5: 2E69C1A7D2A987F925AAAD945C2CE2B2)
      • WerFault.exe (PID: 8 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 1964 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.3843932819.000000000298F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.1708551400.0000000000B47000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 29 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x690b8:$a1: Remcos restarted by watchdog!
                    • 0x69630:$a3: %02i:%02i:%02i:%03i
                    0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x6310c:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x6317c:$str_b2: Executing file:
                    • 0x641fc:$str_b3: GetDirectListeningPort
                    • 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x63d28:$str_b7: \update.vbs
                    • 0x631a4:$str_b9: Downloaded file:
                    • 0x63190:$str_b10: Downloading file:
                    • 0x63234:$str_b12: Failed to upload file:
                    • 0x641c4:$str_b13: StartForward
                    • 0x641e4:$str_b14: StopForward
                    • 0x63c80:$str_b15: fso.DeleteFile "
                    • 0x63c14:$str_b16: On Error Resume Next
                    • 0x63cb0:$str_b17: fso.DeleteFolder "
                    • 0x63224:$str_b18: Uploaded file:
                    • 0x631e4:$str_b19: Unable to delete:
                    • 0x63c48:$str_b20: while fso.FileExists("
                    • 0x636c1:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 51 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", ParentImage: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe, ParentProcessId: 6988, ParentProcessName: EIuz8Bk9kGav2ix.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", ProcessId: 5296, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", ParentImage: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe, ParentProcessId: 6988, ParentProcessName: EIuz8Bk9kGav2ix.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", ProcessId: 5296, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp6853.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp6853.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe, ParentImage: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe, ParentProcessId: 7348, ParentProcessName: RNJBFdvJTXAE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp6853.tmp", ProcessId: 7556, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", ParentImage: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe, ParentProcessId: 6988, ParentProcessName: EIuz8Bk9kGav2ix.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp", ProcessId: 3868, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", ParentImage: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe, ParentProcessId: 6988, ParentProcessName: EIuz8Bk9kGav2ix.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", ProcessId: 5296, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe", ParentImage: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe, ParentProcessId: 6988, ParentProcessName: EIuz8Bk9kGav2ix.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp", ProcessId: 3868, ProcessName: schtasks.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: Registry Key setAuthor: Joe Security: Data: Details: 30 0F C2 2C CB 87 27 B5 73 01 29 00 61 48 5E 83 B9 4F 86 E5 AA 5F E8 7C 96 D8 0F 42 54 17 4E BF 7B A5 07 D4 67 96 82 F2 12 1B 41 44 29 9A 64 78 A6 FC 60 0B 65 55 95 8F 50 20 C3 5B A5 67 E7 ED 05 61 BE 6B 51 C7 5D BF 47 15 57 2E C2 35 D5 C1 5A 2C 3F E7 A1 3E , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe, ProcessId: 7208, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZFXG9Y\exepath

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-03T14:31:50.569856+010020283713Unknown Traffic192.168.2.45002552.182.143.212443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-03T14:28:25.483600+010020365941Malware Command and Control Activity Detected192.168.2.449735192.3.64.1522559TCP
                    2024-12-03T14:28:37.686765+010020365941Malware Command and Control Activity Detected192.168.2.449742192.3.64.1522559TCP
                    2024-12-03T14:28:37.999305+010020365941Malware Command and Control Activity Detected192.168.2.449743192.3.64.1522559TCP
                    2024-12-03T14:28:48.280568+010020365941Malware Command and Control Activity Detected192.168.2.449745192.3.64.1522559TCP
                    2024-12-03T14:30:20.906039+010020365941Malware Command and Control Activity Detected192.168.2.449879192.3.64.1522559TCP
                    2024-12-03T14:30:21.202946+010020365941Malware Command and Control Activity Detected192.168.2.449881192.3.64.1522559TCP
                    2024-12-03T14:30:40.343612+010020365941Malware Command and Control Activity Detected192.168.2.449923192.3.64.1522559TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-03T14:28:28.203361+010028033043Unknown Traffic192.168.2.449736178.237.33.5080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000008.00000002.1708551400.0000000000B47000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeReversingLabs: Detection: 50%
                    Multi AV Scanner detection for submitted file
                    Source: EIuz8Bk9kGav2ix.exeReversingLabs: Detection: 50%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.3843932819.000000000298F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1708551400.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 6988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 7208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7348, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7608, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: EIuz8Bk9kGav2ix.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004338C8
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_9eda13bd-8

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 6988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 7208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7348, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00407538 _wcslen,CoGetObject,8_2_00407538
                    Source: EIuz8Bk9kGav2ix.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 52.182.143.212:443 -> 192.168.2.4:50025 version: TLS 1.2
                    Source: EIuz8Bk9kGav2ix.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_100010F1
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0040AE51 FindFirstFileW,FindNextFileW,19_2_0040AE51
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407EF8
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,21_2_00407898
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49743 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49735 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49745 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49742 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49879 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49881 -> 192.3.64.152:2559
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49923 -> 192.3.64.152:2559
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 192.3.64.152
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49736 -> 178.237.33.50:80
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50025 -> 52.182.143.212:443
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,8_2_0041B411
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: RNJBFdvJTXAE.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: RNJBFdvJTXAE.exe, 00000013.00000002.2053952462.000000000174D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: RNJBFdvJTXAE.exe, 00000013.00000002.2053952462.000000000174D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
                    Source: RNJBFdvJTXAE.exe, 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                    Source: RNJBFdvJTXAE.exe, 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: unknownHTTP traffic detected: POST /Telemetry.Request HTTP/1.1Connection: Keep-AliveUser-Agent: MSDWMSA_DeviceTicket_Error: 0x80004004Content-Length: 4656Host: umwatson.events.data.microsoft.com
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                    Source: bhv98D9.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                    Source: bhv98D9.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                    Source: bhv98D9.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://geoplugin.net/json.gp
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, EIuz8Bk9kGav2ix.exe, 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: RNJBFdvJTXAE.exe, 0000000A.00000002.1796842904.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost/arkanoid_server/requests.php
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://ocsp.digicert.com0:
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://ocsp.digicert.com0H
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://ocsp.digicert.com0I
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://ocsp.digicert.com0Q
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://ocsp.msocsp.com0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://ocsp.msocsp.com0S
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://ocspx.digicert.com0E
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1731428516.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, EIuz8Bk9kGav2ix.exe, 00000000.00000002.1731428516.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000A.00000002.1796842904.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000A.00000002.1796842904.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: bhv98D9.tmp.19.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://www.digicert.com/CPS0~
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                    Source: RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                    Source: RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
                    Source: RNJBFdvJTXAE.exe, 00000013.00000002.2053314170.00000000010F3000.00000004.00000010.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 00000017.00000002.3188316386.0000000000934000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                    Source: RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
                    Source: bhv98D9.tmp.19.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
                    Source: bhv98D9.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                    Source: bhv98D9.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                    Source: bhv98D9.tmp.19.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                    Source: bhv98D9.tmp.19.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: bhv98D9.tmp.19.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: bhv98D9.tmp.19.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
                    Source: RNJBFdvJTXAE.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: RNJBFdvJTXAE.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drString found in binary or memory: https://www.office.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
                    Source: unknownHTTPS traffic detected: 52.182.143.212:443 -> 192.168.2.4:50025 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000008_2_0040A2F3
                    Installs a global keyboard hook
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168FC
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,19_2_0040987A
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_004098E2
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,20_2_00406DFC
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,20_2_00406E9F
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,21_2_004068B5
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,21_2_004072B5
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_0040A41B
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 6988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 7208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7348, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.3843932819.000000000298F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1708551400.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 6988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 7208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7348, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7608, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041CA6D SystemParametersInfoW,8_2_0041CA6D
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041CA73 SystemParametersInfoW,8_2_0041CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 6988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 7208, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7348, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,8_2_0041812A
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,19_2_0040DD85
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00401806 NtdllDefWindowProc_W,19_2_00401806
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_004018C0 NtdllDefWindowProc_W,19_2_004018C0
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_004016FD NtdllDefWindowProc_A,20_2_004016FD
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_004017B7 NtdllDefWindowProc_A,20_2_004017B7
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00402CAC NtdllDefWindowProc_A,21_2_00402CAC
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00402D66 NtdllDefWindowProc_A,21_2_00402D66
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167EF
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C722C00_2_00C722C0
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C70F100_2_00C70F10
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C773480_2_00C77348
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C720570_2_00C72057
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C7A4D30_2_00C7A4D3
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C70F080_2_00C70F08
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C736480_2_00C73648
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C719950_2_00C71995
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C71AB80_2_00C71AB8
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C71A5E0_2_00C71A5E
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C71A1F0_2_00C71A1F
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C71CE70_2_00C71CE7
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C71DC80_2_00C71DC8
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C71D540_2_00C71D54
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C71E2A0_2_00C71E2A
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C71F240_2_00C71F24
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_04E1E8A90_2_04E1E8A9
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_04E1E8B80_2_04E1E8B8
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_04E115040_2_04E11504
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_04E139280_2_04E13928
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_04E139380_2_04E13938
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_091389680_2_09138968
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_09138DA00_2_09138DA0
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_091380F80_2_091380F8
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_091385300_2_09138530
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_091385200_2_09138520
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_0913A58F0_2_0913A58F
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_0913A5A00_2_0913A5A0
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0043706A8_2_0043706A
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004140058_2_00414005
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0043E11C8_2_0043E11C
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004541D98_2_004541D9
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004381E88_2_004381E8
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041F18B8_2_0041F18B
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004462708_2_00446270
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0043E34B8_2_0043E34B
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004533AB8_2_004533AB
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0042742E8_2_0042742E
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004375668_2_00437566
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0043E5A88_2_0043E5A8
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004387F08_2_004387F0
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0043797E8_2_0043797E
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004339D78_2_004339D7
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0044DA498_2_0044DA49
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00427AD78_2_00427AD7
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041DBF38_2_0041DBF3
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00427C408_2_00427C40
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00437DB38_2_00437DB3
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00435EEB8_2_00435EEB
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0043DEED8_2_0043DEED
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00426E9F8_2_00426E9F
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E322C010_2_02E322C0
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E30F1010_2_02E30F10
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E3734810_2_02E37348
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E3205710_2_02E32057
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E3A4D210_2_02E3A4D2
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E308CF10_2_02E308CF
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E30E8D10_2_02E30E8D
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E3364810_2_02E33648
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E31AB810_2_02E31AB8
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E31A5E10_2_02E31A5E
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E31A1F10_2_02E31A1F
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E3199510_2_02E31995
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E31E2A10_2_02E31E2A
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E31F2410_2_02E31F24
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E31CE710_2_02E31CE7
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E31DC810_2_02E31DC8
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 10_2_02E31D5410_2_02E31D54
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_1001719414_2_10017194
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_1000B5C114_2_1000B5C1
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044B04019_2_0044B040
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0043610D19_2_0043610D
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044731019_2_00447310
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044A49019_2_0044A490
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0040755A19_2_0040755A
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0043C56019_2_0043C560
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044B61019_2_0044B610
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044D6C019_2_0044D6C0
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_004476F019_2_004476F0
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044B87019_2_0044B870
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044081D19_2_0044081D
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0041495719_2_00414957
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_004079EE19_2_004079EE
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00407AEB19_2_00407AEB
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044AA8019_2_0044AA80
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00412AA919_2_00412AA9
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00404B7419_2_00404B74
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00404B0319_2_00404B03
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044BBD819_2_0044BBD8
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00404BE519_2_00404BE5
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00404C7619_2_00404C76
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00415CFE19_2_00415CFE
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00416D7219_2_00416D72
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00446D3019_2_00446D30
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00446D8B19_2_00446D8B
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00406E8F19_2_00406E8F
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0040503820_2_00405038
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0041208C20_2_0041208C
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_004050A920_2_004050A9
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0040511A20_2_0040511A
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0043C13A20_2_0043C13A
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_004051AB20_2_004051AB
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0044930020_2_00449300
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0040D32220_2_0040D322
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0044A4F020_2_0044A4F0
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0043A5AB20_2_0043A5AB
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0041363120_2_00413631
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0044669020_2_00446690
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0044A73020_2_0044A730
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_004398D820_2_004398D8
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_004498E020_2_004498E0
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0044A88620_2_0044A886
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0043DA0920_2_0043DA09
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_00438D5E20_2_00438D5E
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_00449ED020_2_00449ED0
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0041FE8320_2_0041FE83
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_00430F5420_2_00430F54
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_004050C221_2_004050C2
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_004014AB21_2_004014AB
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_0040513321_2_00405133
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_004051A421_2_004051A4
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_0040124621_2_00401246
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_0040CA4621_2_0040CA46
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_0040523521_2_00405235
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_004032C821_2_004032C8
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_0040168921_2_00401689
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00402F6021_2_00402F60
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: String function: 00434801 appears 41 times
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: String function: 00401E65 appears 34 times
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: String function: 00434E70 appears 54 times
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: String function: 004169A7 appears 87 times
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: String function: 0044DB70 appears 41 times
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: String function: 004165FF appears 35 times
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: String function: 00422297 appears 42 times
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: String function: 00444B5A appears 37 times
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: String function: 00413025 appears 79 times
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: String function: 00416760 appears 69 times
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 1964
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1728785985.00000000009DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs EIuz8Bk9kGav2ix.exe
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1741048621.00000000077E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs EIuz8Bk9kGav2ix.exe
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1745095742.0000000009A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs EIuz8Bk9kGav2ix.exe
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1741741856.0000000007E4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs EIuz8Bk9kGav2ix.exe
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1731428516.000000000298C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs EIuz8Bk9kGav2ix.exe
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1742311853.0000000007EC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAYOn.exe0 vs EIuz8Bk9kGav2ix.exe
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1733178302.00000000040A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs EIuz8Bk9kGav2ix.exe
                    Source: EIuz8Bk9kGav2ix.exeBinary or memory string: OriginalFilenameAYOn.exe0 vs EIuz8Bk9kGav2ix.exe
                    Source: EIuz8Bk9kGav2ix.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 6988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 7208, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7348, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: EIuz8Bk9kGav2ix.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: RNJBFdvJTXAE.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, zEwE4QOC4ldJ4QLiYT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, zEwE4QOC4ldJ4QLiYT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, SIbKR0Rgsw4TsSjPhr.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, SIbKR0Rgsw4TsSjPhr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, SIbKR0Rgsw4TsSjPhr.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, SIbKR0Rgsw4TsSjPhr.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, SIbKR0Rgsw4TsSjPhr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, SIbKR0Rgsw4TsSjPhr.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, zEwE4QOC4ldJ4QLiYT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, SIbKR0Rgsw4TsSjPhr.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, SIbKR0Rgsw4TsSjPhr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, SIbKR0Rgsw4TsSjPhr.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: EIuz8Bk9kGav2ix.exe, 00000000.00000002.1731428516.000000000298C000.00000004.00000800.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000A.00000002.1796842904.0000000002FFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .slN@\^q
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@38/25@1/3
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,19_2_004182CE
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0041798D
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,21_2_00410DE1
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,19_2_00418758
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,8_2_0040F4AF
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_0041B539
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeFile created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9Y
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7608
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMutant created: \Sessions\1\BaseNamedObjects\sETCXuatmBjktZ
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4D69.tmpJump to behavior
                    Source: EIuz8Bk9kGav2ix.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: EIuz8Bk9kGav2ix.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSystem information queried: HandleInformation
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000014.00000002.2042353114.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: RNJBFdvJTXAE.exe, 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: RNJBFdvJTXAE.exe, 00000017.00000002.3189398882.0000000000EAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: RNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: EIuz8Bk9kGav2ix.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeFile read: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                    Source: unknownProcess created: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp6853.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\yqpgyoyihvmyd"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\bkvrzhjjvdednbzxp"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\tplymmqtvomskscmxqb"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\sebqkwyzlxhlsxrpokduuzlb"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 1964
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp6853.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\yqpgyoyihvmyd"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\bkvrzhjjvdednbzxp"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\tplymmqtvomskscmxqb"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\sebqkwyzlxhlsxrpokduuzlb"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv"
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: pstorec.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: pstorec.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: pstorec.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: pstorec.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: EIuz8Bk9kGav2ix.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: EIuz8Bk9kGav2ix.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, SIbKR0Rgsw4TsSjPhr.cs.Net Code: OPY1NaOFBG System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.77e0000.6.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, SIbKR0Rgsw4TsSjPhr.cs.Net Code: OPY1NaOFBG System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, SIbKR0Rgsw4TsSjPhr.cs.Net Code: OPY1NaOFBG System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.40c1d80.3.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.2a0472c.0.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_00C70861 push ds; retn 0000h0_2_00C70862
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_04E19300 push dword ptr [ecx+ecx-75h]; iretd 0_2_04E1931A
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_04E11C48 push esp; iretd 0_2_04E11C49
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 0_2_04E11C53 push esp; iretd 0_2_04E11C49
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00457186 push ecx; ret 8_2_00457199
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041C7F3 push eax; retf 8_2_0041C7FD
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_10002806 push ecx; ret 14_2_10002819
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_10009FD8 push esi; ret 14_2_10009FD9
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044693D push ecx; ret 19_2_0044694D
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044DB70 push eax; ret 19_2_0044DB84
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0044DB70 push eax; ret 19_2_0044DBAC
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00451D54 push eax; ret 19_2_00451D61
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0044B090 push eax; ret 20_2_0044B0A4
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_0044B090 push eax; ret 20_2_0044B0CC
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_00444E71 push ecx; ret 20_2_00444E81
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00414060 push eax; ret 21_2_00414074
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00414060 push eax; ret 21_2_0041409C
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00414039 push ecx; ret 21_2_00414049
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_004164EB push 0000006Ah; retf 21_2_004165C4
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00416553 push 0000006Ah; retf 21_2_004165C4
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00416555 push 0000006Ah; retf 21_2_004165C4
                    Source: EIuz8Bk9kGav2ix.exeStatic PE information: section name: .text entropy: 7.849661313574739
                    Source: RNJBFdvJTXAE.exe.0.drStatic PE information: section name: .text entropy: 7.849661313574739
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, oCMwujwtHWJBnHwhre.csHigh entropy of concatenated method names: 'VMFujGjXne', 'F3XuIPdumU', 'i4uuxQY7hL', 'hNjuo0CWmR', 'IHSuRfV9Ha', 'vUQxPALoML', 'IkHxCQNtsJ', 'HZUxcwcD04', 'iC6xldOEdv', 'bwhxkowXFJ'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, zEwE4QOC4ldJ4QLiYT.csHigh entropy of concatenated method names: 'jrwIbkHXUB', 'PlOIDjxO5J', 'hwvIiKsWZZ', 'gnNIphMXOW', 'T79IPg7QmR', 'YiTICgkXwn', 'tqsIcoDL0K', 'WPtIloqHGQ', 'h3WIkIV01v', 'W2aInRseID'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, UZncrKILnqC9XZCf5P.csHigh entropy of concatenated method names: 'Dispose', 'Ux5BkCEpCd', 'Eq6WX1EgxQ', 'H8YSRi6Xsj', 'TtZBnusDCk', 'qbEBzBD6Bu', 'ProcessDialogKey', 'MJYWFTWDeW', 'pESWBW4ACc', 'dpcWWLk0Ge'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, qaDGmeB1dvpm3a7TD4y.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VI0A3oG8Hh', 'JQMATLoTwi', 'MuGAegQCbi', 'PyXAAFyyhC', 'fNXAGQ7nS2', 'QNTA77YpPA', 'UrIAKVrB0m'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, exvZ1MzP92tCs3kiua.csHigh entropy of concatenated method names: 'sh0TJP5QU9', 'hweTO9fwwb', 'GjDT4kl2PL', 'FSCTw84qP0', 'porTXE4M92', 'tnTT2E6da0', 'uBRTvsbF8o', 'lWbTKfccWo', 'WPpT8rwPPO', 'hE6TQBjh2f'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, AyMGNc1kqWDG9GAYEH.csHigh entropy of concatenated method names: 'a9NBoEwE4Q', 'U4lBRdJ4QL', 'dZpB6mOi6R', 'OeMB5y8QIo', 'lrsBdb5dCM', 'FujBStHWJB', 'eHeOwHWRoqx9C30FLf', 'HesbFxdkibWJrgLpjn', 'R0hBBPme2V', 'w3HBroqZ7e'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, nTWDeWkSESW4ACc1pc.csHigh entropy of concatenated method names: 'Pp13waNWi5', 'MrS3XAhEKO', 'V1f3ZwyN1H', 'rsU32BNnFC', 'a7F3vmtced', 'g6y3hsbDKQ', 'bcC30vLPFg', 'xCq3U9eRhD', 'Pc33g0PU3r', 'LRg3LUfiT4'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, KYdFLMBru6qS6naS5MV.csHigh entropy of concatenated method names: 'RDeenjPXld', 't0nez03yBr', 'Nu5AFHqFoF', 'H35x6WhzcS2xTIXmvWs', 'b1BJt8p1YQjZpmP4MO0', 'LUJTcEpY3neiAyrOYH9', 'B5CB81pNCKkY2HYKsef'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, kCIqxKBBcGJi6cdfpgc.csHigh entropy of concatenated method names: 'aWWTnXx9HD', 'KCDTz756QO', 'U0peFJ6ZU9', 'IFMeBHoGPq', 'n2ZeWkW7kD', 'eNIereinmS', 'kT0e1nkUpD', 'SExejOtdLP', 'lP2esSnvm2', 'cpHeIsqnT2'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, H8OOUXqTVCN0FlOVhQ.csHigh entropy of concatenated method names: 'y34YOTltRT', 'w0QY4yV05M', 'XfwYwNGrSW', 'c2BYX79wh2', 'OrfY2w43ns', 'hSAYvSlfMZ', 'oLeY01K3Pg', 'qwYYUfffP2', 'FSDYLCesbO', 'ayQYaXrrtL'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, xQIobfHLfW96E6rsb5.csHigh entropy of concatenated method names: 'WZexfaVplt', 'uf4xVV2uFh', 'uYKyZlBAHG', 'fJTy2pkIOc', 'Tn6yvlenau', 'k62yh2XYaE', 'QNMy05Ew6a', 'CZOyUKKUWA', 'u82ygov8yB', 'VoyyL8G8L8'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, eEXtZmgZGsYVXJPLiB.csHigh entropy of concatenated method names: 'yVmo8VaRQf', 'SP5oQCtwZ2', 'krBoNVy65T', 'sLFomp6mUx', 'EM6of2lE2Z', 'CDQoJcdTHg', 'tQZoVWSTJU', 'rcjoO0ZAcW', 'E0To4L2RJ6', 'clGoH4Qlu9'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, NLm1YNbR6doBeDLRIv.csHigh entropy of concatenated method names: 'bLDdLc49Xt', 'O95dtRbbQS', 'ANOdbq8uKZ', 'CKKdDFVA6k', 'Y01dXc6GSB', 'IHEdZfH4ng', 'sMQd29ArKW', 'Y4TdvNrZBW', 'z0sdheYn2g', 'twpd0cMxCD'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, TaBklmil6BIHRlIDsD.csHigh entropy of concatenated method names: 'ToString', 'I4BSahpyul', 'kGjSXXbARR', 'DeySZ9lRB9', 'jDIS2auJJl', 'HICSvhmnbi', 'vX5ShhYl21', 'ODiS0fBTWu', 'PyoSUeXUiY', 'dJWSgErjaD'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, a77ljECJ0m3jqqq6qb.csHigh entropy of concatenated method names: 'vOpElmZcNq', 'tUJEnwhNFR', 'IPq9Fw7kCG', 'EWd9BZGJ7o', 'zWREaJpCGk', 'sfQEtUfCKK', 'rRcEqgJWEu', 'wo3EbZtPfD', 'ysWEDgs8bi', 'EZ7EiYwJCV'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, onm9iMBFOLiZ1QZDsAt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W8nTa7xTUD', 'lYjTtGmhZn', 'YZHTqDvPrj', 'CbOTbv6W77', 'XRtTDc6X1k', 'o8vTiPHFPy', 'HPbTpT1vZW'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, l0vMPr4ZpmOi6RaeMy.csHigh entropy of concatenated method names: 'KkAymXTP32', 'bSIyJAFOrO', 'HQjyOYtguO', 'kdTy4YhsEC', 'I7KydDbaiS', 'UUOySGLILC', 'MliyEYk6dg', 'CHuy9di1aT', 'r3Ly3V1sYO', 'oVcyTxUy9s'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, Ok0GeLnWrJjqUkMg9R.csHigh entropy of concatenated method names: 'O5KTyjwD0E', 'UqwTxjfllt', 'LrCTukj4Gg', 'QFQTotodGJ', 'TfuT3u5T5v', 'MAyTRv2J8J', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, LqwFTrpHQ5Xhm54ILG.csHigh entropy of concatenated method names: 'tLvE6UYcK4', 'PXbE5USreO', 'ToString', 'fFFEs0cBRn', 'oPqEIBVtcw', 'zDmEyXNnvy', 'MSCExfMfGU', 'APyEue09KQ', 'V6MEoltFol', 'BvcERUnHEV'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, SIbKR0Rgsw4TsSjPhr.csHigh entropy of concatenated method names: 'wYLrj2WdQj', 'bfhrswv2w3', 'Eg0rIr154u', 'NQCrymY9yj', 'JRerxR3Fhx', 'Ia1ruePKQZ', 'LClro1auca', 'REkrRmxg7N', 'ziNrMHsQSX', 'kmKr6JIUmm'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, hP1eFEWtcDlxrx2aGV.csHigh entropy of concatenated method names: 'oN2N8bTiu', 'tWQmB9J6p', 'b5IJ26FFl', 'G2yVQm5vV', 'XbE4P5M0X', 'SQfHyQa3L', 'VW7WAiMeYhZRkylodL', 'tShMo1r5tvlt1POSFN', 'AWQ9w3SFv', 's2dTYPL5u'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, epH7hncGqPx5CEpCdp.csHigh entropy of concatenated method names: 'sFo3dMqSK5', 'Y0R3EDbyKy', 'Bpk33a8NRy', 'lue3eSaoSi', 'D4T3GVKwnf', 'iuX3KMZIro', 'Dispose', 'B0y9sFr8Jk', 'lhG9IX8sj9', 'o2Q9ykI8Pv'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.43ee820.4.raw.unpack, XWNecL0WLZLCv2yYt2.csHigh entropy of concatenated method names: 'eeRosprFgM', 'gcCoyEGpZD', 'I6wou2H6ob', 'lqAuntr8Jq', 'PxTuz5wrC5', 'sPRoFGy2Ic', 'HCioBUExw4', 'yRNoW7Kaj7', 'MrJor9E6qW', 'KKZo1MKuWK'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, oCMwujwtHWJBnHwhre.csHigh entropy of concatenated method names: 'VMFujGjXne', 'F3XuIPdumU', 'i4uuxQY7hL', 'hNjuo0CWmR', 'IHSuRfV9Ha', 'vUQxPALoML', 'IkHxCQNtsJ', 'HZUxcwcD04', 'iC6xldOEdv', 'bwhxkowXFJ'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, zEwE4QOC4ldJ4QLiYT.csHigh entropy of concatenated method names: 'jrwIbkHXUB', 'PlOIDjxO5J', 'hwvIiKsWZZ', 'gnNIphMXOW', 'T79IPg7QmR', 'YiTICgkXwn', 'tqsIcoDL0K', 'WPtIloqHGQ', 'h3WIkIV01v', 'W2aInRseID'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, UZncrKILnqC9XZCf5P.csHigh entropy of concatenated method names: 'Dispose', 'Ux5BkCEpCd', 'Eq6WX1EgxQ', 'H8YSRi6Xsj', 'TtZBnusDCk', 'qbEBzBD6Bu', 'ProcessDialogKey', 'MJYWFTWDeW', 'pESWBW4ACc', 'dpcWWLk0Ge'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, qaDGmeB1dvpm3a7TD4y.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VI0A3oG8Hh', 'JQMATLoTwi', 'MuGAegQCbi', 'PyXAAFyyhC', 'fNXAGQ7nS2', 'QNTA77YpPA', 'UrIAKVrB0m'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, exvZ1MzP92tCs3kiua.csHigh entropy of concatenated method names: 'sh0TJP5QU9', 'hweTO9fwwb', 'GjDT4kl2PL', 'FSCTw84qP0', 'porTXE4M92', 'tnTT2E6da0', 'uBRTvsbF8o', 'lWbTKfccWo', 'WPpT8rwPPO', 'hE6TQBjh2f'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, AyMGNc1kqWDG9GAYEH.csHigh entropy of concatenated method names: 'a9NBoEwE4Q', 'U4lBRdJ4QL', 'dZpB6mOi6R', 'OeMB5y8QIo', 'lrsBdb5dCM', 'FujBStHWJB', 'eHeOwHWRoqx9C30FLf', 'HesbFxdkibWJrgLpjn', 'R0hBBPme2V', 'w3HBroqZ7e'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, nTWDeWkSESW4ACc1pc.csHigh entropy of concatenated method names: 'Pp13waNWi5', 'MrS3XAhEKO', 'V1f3ZwyN1H', 'rsU32BNnFC', 'a7F3vmtced', 'g6y3hsbDKQ', 'bcC30vLPFg', 'xCq3U9eRhD', 'Pc33g0PU3r', 'LRg3LUfiT4'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, KYdFLMBru6qS6naS5MV.csHigh entropy of concatenated method names: 'RDeenjPXld', 't0nez03yBr', 'Nu5AFHqFoF', 'H35x6WhzcS2xTIXmvWs', 'b1BJt8p1YQjZpmP4MO0', 'LUJTcEpY3neiAyrOYH9', 'B5CB81pNCKkY2HYKsef'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, kCIqxKBBcGJi6cdfpgc.csHigh entropy of concatenated method names: 'aWWTnXx9HD', 'KCDTz756QO', 'U0peFJ6ZU9', 'IFMeBHoGPq', 'n2ZeWkW7kD', 'eNIereinmS', 'kT0e1nkUpD', 'SExejOtdLP', 'lP2esSnvm2', 'cpHeIsqnT2'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, H8OOUXqTVCN0FlOVhQ.csHigh entropy of concatenated method names: 'y34YOTltRT', 'w0QY4yV05M', 'XfwYwNGrSW', 'c2BYX79wh2', 'OrfY2w43ns', 'hSAYvSlfMZ', 'oLeY01K3Pg', 'qwYYUfffP2', 'FSDYLCesbO', 'ayQYaXrrtL'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, xQIobfHLfW96E6rsb5.csHigh entropy of concatenated method names: 'WZexfaVplt', 'uf4xVV2uFh', 'uYKyZlBAHG', 'fJTy2pkIOc', 'Tn6yvlenau', 'k62yh2XYaE', 'QNMy05Ew6a', 'CZOyUKKUWA', 'u82ygov8yB', 'VoyyL8G8L8'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, eEXtZmgZGsYVXJPLiB.csHigh entropy of concatenated method names: 'yVmo8VaRQf', 'SP5oQCtwZ2', 'krBoNVy65T', 'sLFomp6mUx', 'EM6of2lE2Z', 'CDQoJcdTHg', 'tQZoVWSTJU', 'rcjoO0ZAcW', 'E0To4L2RJ6', 'clGoH4Qlu9'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, NLm1YNbR6doBeDLRIv.csHigh entropy of concatenated method names: 'bLDdLc49Xt', 'O95dtRbbQS', 'ANOdbq8uKZ', 'CKKdDFVA6k', 'Y01dXc6GSB', 'IHEdZfH4ng', 'sMQd29ArKW', 'Y4TdvNrZBW', 'z0sdheYn2g', 'twpd0cMxCD'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, TaBklmil6BIHRlIDsD.csHigh entropy of concatenated method names: 'ToString', 'I4BSahpyul', 'kGjSXXbARR', 'DeySZ9lRB9', 'jDIS2auJJl', 'HICSvhmnbi', 'vX5ShhYl21', 'ODiS0fBTWu', 'PyoSUeXUiY', 'dJWSgErjaD'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, a77ljECJ0m3jqqq6qb.csHigh entropy of concatenated method names: 'vOpElmZcNq', 'tUJEnwhNFR', 'IPq9Fw7kCG', 'EWd9BZGJ7o', 'zWREaJpCGk', 'sfQEtUfCKK', 'rRcEqgJWEu', 'wo3EbZtPfD', 'ysWEDgs8bi', 'EZ7EiYwJCV'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, onm9iMBFOLiZ1QZDsAt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W8nTa7xTUD', 'lYjTtGmhZn', 'YZHTqDvPrj', 'CbOTbv6W77', 'XRtTDc6X1k', 'o8vTiPHFPy', 'HPbTpT1vZW'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, l0vMPr4ZpmOi6RaeMy.csHigh entropy of concatenated method names: 'KkAymXTP32', 'bSIyJAFOrO', 'HQjyOYtguO', 'kdTy4YhsEC', 'I7KydDbaiS', 'UUOySGLILC', 'MliyEYk6dg', 'CHuy9di1aT', 'r3Ly3V1sYO', 'oVcyTxUy9s'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, Ok0GeLnWrJjqUkMg9R.csHigh entropy of concatenated method names: 'O5KTyjwD0E', 'UqwTxjfllt', 'LrCTukj4Gg', 'QFQTotodGJ', 'TfuT3u5T5v', 'MAyTRv2J8J', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, LqwFTrpHQ5Xhm54ILG.csHigh entropy of concatenated method names: 'tLvE6UYcK4', 'PXbE5USreO', 'ToString', 'fFFEs0cBRn', 'oPqEIBVtcw', 'zDmEyXNnvy', 'MSCExfMfGU', 'APyEue09KQ', 'V6MEoltFol', 'BvcERUnHEV'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, SIbKR0Rgsw4TsSjPhr.csHigh entropy of concatenated method names: 'wYLrj2WdQj', 'bfhrswv2w3', 'Eg0rIr154u', 'NQCrymY9yj', 'JRerxR3Fhx', 'Ia1ruePKQZ', 'LClro1auca', 'REkrRmxg7N', 'ziNrMHsQSX', 'kmKr6JIUmm'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, hP1eFEWtcDlxrx2aGV.csHigh entropy of concatenated method names: 'oN2N8bTiu', 'tWQmB9J6p', 'b5IJ26FFl', 'G2yVQm5vV', 'XbE4P5M0X', 'SQfHyQa3L', 'VW7WAiMeYhZRkylodL', 'tShMo1r5tvlt1POSFN', 'AWQ9w3SFv', 's2dTYPL5u'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, epH7hncGqPx5CEpCdp.csHigh entropy of concatenated method names: 'sFo3dMqSK5', 'Y0R3EDbyKy', 'Bpk33a8NRy', 'lue3eSaoSi', 'D4T3GVKwnf', 'iuX3KMZIro', 'Dispose', 'B0y9sFr8Jk', 'lhG9IX8sj9', 'o2Q9ykI8Pv'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.9a70000.7.raw.unpack, XWNecL0WLZLCv2yYt2.csHigh entropy of concatenated method names: 'eeRosprFgM', 'gcCoyEGpZD', 'I6wou2H6ob', 'lqAuntr8Jq', 'PxTuz5wrC5', 'sPRoFGy2Ic', 'HCioBUExw4', 'yRNoW7Kaj7', 'MrJor9E6qW', 'KKZo1MKuWK'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, oCMwujwtHWJBnHwhre.csHigh entropy of concatenated method names: 'VMFujGjXne', 'F3XuIPdumU', 'i4uuxQY7hL', 'hNjuo0CWmR', 'IHSuRfV9Ha', 'vUQxPALoML', 'IkHxCQNtsJ', 'HZUxcwcD04', 'iC6xldOEdv', 'bwhxkowXFJ'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, zEwE4QOC4ldJ4QLiYT.csHigh entropy of concatenated method names: 'jrwIbkHXUB', 'PlOIDjxO5J', 'hwvIiKsWZZ', 'gnNIphMXOW', 'T79IPg7QmR', 'YiTICgkXwn', 'tqsIcoDL0K', 'WPtIloqHGQ', 'h3WIkIV01v', 'W2aInRseID'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, UZncrKILnqC9XZCf5P.csHigh entropy of concatenated method names: 'Dispose', 'Ux5BkCEpCd', 'Eq6WX1EgxQ', 'H8YSRi6Xsj', 'TtZBnusDCk', 'qbEBzBD6Bu', 'ProcessDialogKey', 'MJYWFTWDeW', 'pESWBW4ACc', 'dpcWWLk0Ge'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, qaDGmeB1dvpm3a7TD4y.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VI0A3oG8Hh', 'JQMATLoTwi', 'MuGAegQCbi', 'PyXAAFyyhC', 'fNXAGQ7nS2', 'QNTA77YpPA', 'UrIAKVrB0m'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, exvZ1MzP92tCs3kiua.csHigh entropy of concatenated method names: 'sh0TJP5QU9', 'hweTO9fwwb', 'GjDT4kl2PL', 'FSCTw84qP0', 'porTXE4M92', 'tnTT2E6da0', 'uBRTvsbF8o', 'lWbTKfccWo', 'WPpT8rwPPO', 'hE6TQBjh2f'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, AyMGNc1kqWDG9GAYEH.csHigh entropy of concatenated method names: 'a9NBoEwE4Q', 'U4lBRdJ4QL', 'dZpB6mOi6R', 'OeMB5y8QIo', 'lrsBdb5dCM', 'FujBStHWJB', 'eHeOwHWRoqx9C30FLf', 'HesbFxdkibWJrgLpjn', 'R0hBBPme2V', 'w3HBroqZ7e'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, nTWDeWkSESW4ACc1pc.csHigh entropy of concatenated method names: 'Pp13waNWi5', 'MrS3XAhEKO', 'V1f3ZwyN1H', 'rsU32BNnFC', 'a7F3vmtced', 'g6y3hsbDKQ', 'bcC30vLPFg', 'xCq3U9eRhD', 'Pc33g0PU3r', 'LRg3LUfiT4'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, KYdFLMBru6qS6naS5MV.csHigh entropy of concatenated method names: 'RDeenjPXld', 't0nez03yBr', 'Nu5AFHqFoF', 'H35x6WhzcS2xTIXmvWs', 'b1BJt8p1YQjZpmP4MO0', 'LUJTcEpY3neiAyrOYH9', 'B5CB81pNCKkY2HYKsef'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, kCIqxKBBcGJi6cdfpgc.csHigh entropy of concatenated method names: 'aWWTnXx9HD', 'KCDTz756QO', 'U0peFJ6ZU9', 'IFMeBHoGPq', 'n2ZeWkW7kD', 'eNIereinmS', 'kT0e1nkUpD', 'SExejOtdLP', 'lP2esSnvm2', 'cpHeIsqnT2'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, H8OOUXqTVCN0FlOVhQ.csHigh entropy of concatenated method names: 'y34YOTltRT', 'w0QY4yV05M', 'XfwYwNGrSW', 'c2BYX79wh2', 'OrfY2w43ns', 'hSAYvSlfMZ', 'oLeY01K3Pg', 'qwYYUfffP2', 'FSDYLCesbO', 'ayQYaXrrtL'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, xQIobfHLfW96E6rsb5.csHigh entropy of concatenated method names: 'WZexfaVplt', 'uf4xVV2uFh', 'uYKyZlBAHG', 'fJTy2pkIOc', 'Tn6yvlenau', 'k62yh2XYaE', 'QNMy05Ew6a', 'CZOyUKKUWA', 'u82ygov8yB', 'VoyyL8G8L8'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, eEXtZmgZGsYVXJPLiB.csHigh entropy of concatenated method names: 'yVmo8VaRQf', 'SP5oQCtwZ2', 'krBoNVy65T', 'sLFomp6mUx', 'EM6of2lE2Z', 'CDQoJcdTHg', 'tQZoVWSTJU', 'rcjoO0ZAcW', 'E0To4L2RJ6', 'clGoH4Qlu9'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, NLm1YNbR6doBeDLRIv.csHigh entropy of concatenated method names: 'bLDdLc49Xt', 'O95dtRbbQS', 'ANOdbq8uKZ', 'CKKdDFVA6k', 'Y01dXc6GSB', 'IHEdZfH4ng', 'sMQd29ArKW', 'Y4TdvNrZBW', 'z0sdheYn2g', 'twpd0cMxCD'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, TaBklmil6BIHRlIDsD.csHigh entropy of concatenated method names: 'ToString', 'I4BSahpyul', 'kGjSXXbARR', 'DeySZ9lRB9', 'jDIS2auJJl', 'HICSvhmnbi', 'vX5ShhYl21', 'ODiS0fBTWu', 'PyoSUeXUiY', 'dJWSgErjaD'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, a77ljECJ0m3jqqq6qb.csHigh entropy of concatenated method names: 'vOpElmZcNq', 'tUJEnwhNFR', 'IPq9Fw7kCG', 'EWd9BZGJ7o', 'zWREaJpCGk', 'sfQEtUfCKK', 'rRcEqgJWEu', 'wo3EbZtPfD', 'ysWEDgs8bi', 'EZ7EiYwJCV'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, onm9iMBFOLiZ1QZDsAt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W8nTa7xTUD', 'lYjTtGmhZn', 'YZHTqDvPrj', 'CbOTbv6W77', 'XRtTDc6X1k', 'o8vTiPHFPy', 'HPbTpT1vZW'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, l0vMPr4ZpmOi6RaeMy.csHigh entropy of concatenated method names: 'KkAymXTP32', 'bSIyJAFOrO', 'HQjyOYtguO', 'kdTy4YhsEC', 'I7KydDbaiS', 'UUOySGLILC', 'MliyEYk6dg', 'CHuy9di1aT', 'r3Ly3V1sYO', 'oVcyTxUy9s'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, Ok0GeLnWrJjqUkMg9R.csHigh entropy of concatenated method names: 'O5KTyjwD0E', 'UqwTxjfllt', 'LrCTukj4Gg', 'QFQTotodGJ', 'TfuT3u5T5v', 'MAyTRv2J8J', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, LqwFTrpHQ5Xhm54ILG.csHigh entropy of concatenated method names: 'tLvE6UYcK4', 'PXbE5USreO', 'ToString', 'fFFEs0cBRn', 'oPqEIBVtcw', 'zDmEyXNnvy', 'MSCExfMfGU', 'APyEue09KQ', 'V6MEoltFol', 'BvcERUnHEV'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, SIbKR0Rgsw4TsSjPhr.csHigh entropy of concatenated method names: 'wYLrj2WdQj', 'bfhrswv2w3', 'Eg0rIr154u', 'NQCrymY9yj', 'JRerxR3Fhx', 'Ia1ruePKQZ', 'LClro1auca', 'REkrRmxg7N', 'ziNrMHsQSX', 'kmKr6JIUmm'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, hP1eFEWtcDlxrx2aGV.csHigh entropy of concatenated method names: 'oN2N8bTiu', 'tWQmB9J6p', 'b5IJ26FFl', 'G2yVQm5vV', 'XbE4P5M0X', 'SQfHyQa3L', 'VW7WAiMeYhZRkylodL', 'tShMo1r5tvlt1POSFN', 'AWQ9w3SFv', 's2dTYPL5u'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, epH7hncGqPx5CEpCdp.csHigh entropy of concatenated method names: 'sFo3dMqSK5', 'Y0R3EDbyKy', 'Bpk33a8NRy', 'lue3eSaoSi', 'D4T3GVKwnf', 'iuX3KMZIro', 'Dispose', 'B0y9sFr8Jk', 'lhG9IX8sj9', 'o2Q9ykI8Pv'
                    Source: 0.2.EIuz8Bk9kGav2ix.exe.44aba40.1.raw.unpack, XWNecL0WLZLCv2yYt2.csHigh entropy of concatenated method names: 'eeRosprFgM', 'gcCoyEGpZD', 'I6wou2H6ob', 'lqAuntr8Jq', 'PxTuz5wrC5', 'sPRoFGy2Ic', 'HCioBUExw4', 'yRNoW7Kaj7', 'MrJor9E6qW', 'KKZo1MKuWK'
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00406EEB ShellExecuteW,URLDownloadToFileW,8_2_00406EEB
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeFile created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp"
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 6988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7348, type: MEMORYSTR
                    Delayed program exit found
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040F7E2 Sleep,ExitProcess,8_2_0040F7E2
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: 28A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: 48A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: 4F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: 5F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: 6080000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: 7080000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: 9C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: AC70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: B100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: C100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: 16F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: 4F10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: 55B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: 65B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: 66E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: 76E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: A230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: B230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: B6C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMemory allocated: C6C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,19_2_0040DD85
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A7D9
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5560Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1165Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5871Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 458Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeWindow / User API: threadDelayed 4825
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeWindow / User API: threadDelayed 4702
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeWindow / User API: foregroundWindowGot 1735
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeAPI coverage: 9.5 %
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe TID: 7064Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1216Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe TID: 7472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe TID: 7640Thread sleep time: -74000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe TID: 7644Thread sleep time: -14475000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe TID: 7644Thread sleep time: -14106000s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_100010F1
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0040AE51 FindFirstFileW,FindNextFileW,19_2_0040AE51
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 20_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407EF8
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 21_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,21_2_00407898
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_00418981 memset,GetSystemInfo,19_2_00418981
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RNJBFdvJTXAE.exe, 0000000A.00000002.1804999291.0000000008490000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
                    Source: RNJBFdvJTXAE.exe, 0000000A.00000002.1804999291.0000000008490000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\.
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843518980.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000E.00000002.3843518980.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                    Source: bhv98D9.tmp.19.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,19_2_0040DD85
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]8_2_00443355
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_10004AB4 mov eax, dword ptr fs:[00000030h]14_2_10004AB4
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_004120B2 GetProcessHeap,HeapFree,8_2_004120B2
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043503C
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB71
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00434BD8 SetUnhandledExceptionFilter,8_2_00434BD8
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_100060E2
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_10002639
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 14_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_10002B1C
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"Jump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,8_2_0041812A
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory written: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe base: 400000 value starts with: 4D5AJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeSection loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe protection: execute and read and write
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe protection: execute and read and write
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe protection: execute and read and write
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe protection: execute and read and write
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe protection: execute and read and write
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe protection: execute and read and write
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 31FB008Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00412132
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00419662 mouse_event,8_2_00419662
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp6853.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\yqpgyoyihvmyd"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\bkvrzhjjvdednbzxp"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\tplymmqtvomskscmxqb"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\sebqkwyzlxhlsxrpokduuzlb"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv"
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeProcess created: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv"
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IProgram Manager
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3844904580.00000000041A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3844904580.00000000041A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerer
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Managerenh.dll
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cProgram Managernh.dll
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3844904580.00000000041A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\er4
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3844904580.00000000041A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\er
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Managercal\Temp
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (Program Manager
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManageruR
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager5
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram ManagerTypes\Type 0010
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %Program Manageri
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3844904580.00000000041A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\er*
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *Program ManagerR
                    Source: RNJBFdvJTXAE.exe, 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, logs.dat.14.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_00434CB6 cpuid 8_2_00434CB6
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: EnumSystemLocalesW,8_2_0045201B
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: EnumSystemLocalesW,8_2_004520B6
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00452143
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: GetLocaleInfoW,8_2_00452393
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: EnumSystemLocalesW,8_2_00448484
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004524BC
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: GetLocaleInfoW,8_2_004525C3
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452690
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: GetLocaleInfoW,8_2_0044896D
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: GetLocaleInfoA,8_2_0040F90C
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00451D58
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: EnumSystemLocalesW,8_2_00451FD0
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeQueries volume information: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041A045 __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,8_2_0041A045
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0041B69E GetUserNameW,8_2_0041B69E
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: 8_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,8_2_0044942D
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: 19_2_0041739B GetVersionExW,19_2_0041739B
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.3843932819.000000000298F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1708551400.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 6988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 7208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7348, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7608, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB6B
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: \key3.db8_2_0040BB6B
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Tries to steal Instant Messenger accounts or passwords
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: ESMTPPassword20_2_004033F0
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword20_2_00402DB3
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword20_2_00402DB3
                    Yara detected WebBrowserPassView password recovery tool
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 8020, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9YJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9Y
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.EIuz8Bk9kGav2ix.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4cb12b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.46406b8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.EIuz8Bk9kGav2ix.exe.45c7a98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RNJBFdvJTXAE.exe.4c38690.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.3843932819.000000000298F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1708551400.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 6988, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: EIuz8Bk9kGav2ix.exe PID: 7208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7348, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RNJBFdvJTXAE.exe PID: 7608, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exeCode function: cmd.exe8_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts12
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Bypass User Account Control                    		1
                    Deobfuscate/Decode Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Access Token Manipulation                    		3
                    Obfuscated Files or Information                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		12
                    Software Packing                    		3
                    Credentials In Files                    		3
                    File and Directory Discovery                    		Distributed Component Object Model211
                    Input Capture                    		3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script422
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets38
                    System Information Discovery                    		SSH3
                    Clipboard Data                    		14
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Scheduled Task/Job                    		1
                    Bypass User Account Control                    		Cached Domain Credentials141
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync41
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                    Virtualization/Sandbox Evasion                    		Proc Filesystem4
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron422
                    Process Injection                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567401 Sample: EIuz8Bk9kGav2ix.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 59 geoplugin.net 2->59 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 12 other signatures 2->73 8 EIuz8Bk9kGav2ix.exe 7 2->8         started        12 RNJBFdvJTXAE.exe 5 2->12         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\RNJBFdvJTXAE.exe, PE32 8->49 dropped 51 C:\Users\...\RNJBFdvJTXAE.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmp4D69.tmp, XML 8->53 dropped 55 C:\Users\user\...Iuz8Bk9kGav2ix.exe.log, ASCII 8->55 dropped 81 Contains functionality to bypass UAC (CMSTPLUA) 8->81 83 Contains functionalty to change the wallpaper 8->83 85 Contains functionality to steal Chrome passwords or cookies 8->85 93 7 other signatures 8->93 14 EIuz8Bk9kGav2ix.exe 2 8->14         started        17 powershell.exe 23 8->17         started        19 powershell.exe 23 8->19         started        21 schtasks.exe 1 8->21         started        87 Multi AV Scanner detection for dropped file 12->87 89 Tries to steal Mail credentials (via file registry) 12->89 91 Machine Learning detection for dropped file 12->91 23 RNJBFdvJTXAE.exe 12->23         started        27 schtasks.exe 12->27         started        signatures6 process7 dnsIp8 95 Writes to foreign memory regions 14->95 29 iexplore.exe 14->29         started        97 Loading BitLocker PowerShell Module 17->97 44 2 other processes 17->44 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        61 192.3.64.152, 2559, 49735, 49742 AS-COLOCROSSINGUS United States 23->61 63 geoplugin.net 178.237.33.50, 49736, 80 ATOM86-ASATOM86NL Netherlands 23->63 57 C:\ProgramData\remcos\logs.dat, data 23->57 dropped 99 Detected Remcos RAT 23->99 101 Maps a DLL or memory area into another process 23->101 103 Installs a global keyboard hook 23->103 35 RNJBFdvJTXAE.exe 23->35         started        38 RNJBFdvJTXAE.exe 23->38         started        40 RNJBFdvJTXAE.exe 23->40         started        46 6 other processes 23->46 42 conhost.exe 27->42         started        file9 signatures10 process11 dnsIp12 75 Tries to steal Instant Messenger accounts or passwords 35->75 77 Tries to steal Mail credentials (via file / registry access) 35->77 79 Tries to harvest and steal browser information (history, passwords, etc) 40->79 65 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 46->65 signatures13

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    EIuz8Bk9kGav2ix.exe50%ReversingLabsWin32.Trojan.Remcos
                    EIuz8Bk9kGav2ix.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe50%ReversingLabsWin32.Trojan.Remcos

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gpfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.fontbureau.com/designersGEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.imvu.comrRNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Wbhv98D9.tmp.19.drfalse
                                  		high
                                  https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbadbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                    		high
                                    http://www.fontbureau.com/designers?EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aefd.nelreports.net/api/report?cat=bingthbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                        		high
                                        https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fccbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                          		high
                                          http://www.tiro.comEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designersEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.nirsoft.netRNJBFdvJTXAE.exe, 00000013.00000002.2053314170.00000000010F3000.00000004.00000010.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 00000017.00000002.3188316386.0000000000934000.00000004.00000010.00020000.00000000.sdmpfalse
                                                		high
                                                https://aefd.nelreports.net/api/report?cat=bingaotakbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                  		high
                                                  https://deff.nelreports.net/api/report?cat=msnbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                    		high
                                                    https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Frbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                      		high
                                                      http://www.goodfont.co.krEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                          		high
                                                          https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Frbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                            		high
                                                            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                		high
                                                                http://www.sajatypeworks.comEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.typography.netDEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.google.comRNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/cTheEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950cbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                          		high
                                                                          http://www.galapagosdesign.com/staff/dennis.htmEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://geoplugin.net/json.gp/CEIuz8Bk9kGav2ix.exe, 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, EIuz8Bk9kGav2ix.exe, 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://maps.windows.com/windows-app-web-linkbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                		high
                                                                                https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                  		high
                                                                                  http://www.galapagosdesign.com/DPleaseEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                      		high
                                                                                      https://login.yahoo.com/config/loginRNJBFdvJTXAE.exefalse
                                                                                        		high
                                                                                        http://www.fonts.comEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.sandoll.co.krEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.urwpp.deDPleaseEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.nirsoft.net/RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.zhongyicts.com.cnEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEIuz8Bk9kGav2ix.exe, 00000000.00000002.1731428516.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, EIuz8Bk9kGav2ix.exe, 00000000.00000002.1731428516.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000A.00000002.1796842904.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, RNJBFdvJTXAE.exe, 0000000A.00000002.1796842904.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.sakkal.comEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816dbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                        		high
                                                                                                        https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367dbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                          		high
                                                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                            		high
                                                                                                            https://www.office.com/bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                              		high
                                                                                                              http://www.apache.org/licenses/LICENSE-2.0EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.fontbureau.comEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                    		high
                                                                                                                    https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                      		high
                                                                                                                      https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                        		high
                                                                                                                        https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8dbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                          		high
                                                                                                                          https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                            		high
                                                                                                                            http://www.imvu.comRNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://aefd.nelreports.net/api/report?cat=wsbbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                		high
                                                                                                                                https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                  		high
                                                                                                                                  http://www.carterandcone.comlEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                      		high
                                                                                                                                      http://www.fontbureau.com/designers/cabarga.htmlNEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.founder.com.cn/cnEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.fontbureau.com/designers/frere-user.htmlEIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://aefd.nelreports.net/api/report?cat=bingaotbhv98D9.tmp.19.drfalse
                                                                                                                                              		high
                                                                                                                                              https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-aebhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                                		high
                                                                                                                                                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.jiyu-kobo.co.jp/EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.fontbureau.com/designers8EIuz8Bk9kGav2ix.exe, 00000000.00000002.1743265415.00000000091B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFDbhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://aefd.nelreports.net/api/report?cat=bingrmsbhv98D9.tmp.19.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.google.com/accounts/serviceloginRNJBFdvJTXAE.exefalse
                                                                                                                                                              		high
                                                                                                                                                              http://localhost/arkanoid_server/requests.phpRNJBFdvJTXAE.exe, 0000000A.00000002.1796842904.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59bhv4E69.tmp.23.dr, bhv98D9.tmp.19.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://www.ebuddy.comRNJBFdvJTXAE.exe, RNJBFdvJTXAE.exe, 00000015.00000002.2039279623.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                                          		high

                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                          Public IPs

                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                          178.237.33.50
                                                                                                                                                                          		geoplugin.netNetherlands
                                                                                                                                                                          		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                                          52.182.143.212
                                                                                                                                                                          		unknownUnited States
                                                                                                                                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                          192.3.64.152
                                                                                                                                                                          		unknownUnited States
                                                                                                                                                                          		36352AS-COLOCROSSINGUStrue

                                                                                                                                                                          General Information

                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                          Analysis ID:1567401
                                                                                                                                                                          Start date and time:2024-12-03 14:27:22 +01:00
                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                          Overall analysis duration:0h 11m 5s
                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                          Report type:full
                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                          Number of analysed new started processes analysed:31
                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                          Technologies:
                                                                                                                                                                          • HCA enabled
                                                                                                                                                                          • EGA enabled
                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                          Sample name:EIuz8Bk9kGav2ix.exe
                                                                                                                                                                          Detection:MAL
                                                                                                                                                                          Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@38/25@1/3
                                                                                                                                                                          EGA Information:
                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                          HCA Information:
                                                                                                                                                                          • Successful, ratio: 96%
                                                                                                                                                                          • Number of executed functions: 174
                                                                                                                                                                          • Number of non-executed functions: 309
                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                          Warnings

                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                          • VT rate limit hit for: EIuz8Bk9kGav2ix.exe

                                                                                                                                                                          Simulations

                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                          08:28:13API Interceptor1x Sleep call for process: EIuz8Bk9kGav2ix.exe modified
                                                                                                                                                                          08:28:16API Interceptor43x Sleep call for process: powershell.exe modified
                                                                                                                                                                          08:28:20API Interceptor3871025x Sleep call for process: RNJBFdvJTXAE.exe modified
                                                                                                                                                                          08:31:50API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                          13:28:17Task SchedulerRun new task: RNJBFdvJTXAE path: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe

                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                          IPs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          178.237.33.500200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                          ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                          173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                          INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                          doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                          Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                                                          RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • geoplugin.net/json.gp

                                                                                                                                                                          Domains

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          geoplugin.net0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50

                                                                                                                                                                          ASNs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          AS-COLOCROSSINGUSa-r.m-6.SNOOPY.elfGet hashmaliciousGafgytBrowse
                                                                                                                                                                          • 192.3.179.33
                                                                                                                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 192.210.150.26
                                                                                                                                                                          INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 104.168.7.16
                                                                                                                                                                          https://a.rs6.net/1/pc?ep=e4f2f4ad2c30fbb2SK2ZyQxbsE02cV3UOfuPD-JxSRgUD6Y86mFtUF3WRqjeuMrz9o3Xbb320wCTDsWWUHuFG0qWroCiniptiREBdHyyzdrPc45m6t-HBEB7SZ8gZX4dYr4o80JwDUJz1eSGQlrcb9as_P_3jZu-t-DrRTdQARm9vPjp5IAqdyzm4bLxpaVnP8_0eRiLoUggvzge&c=$%7bContact.encryptedContactId%7dGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                          • 206.217.129.92
                                                                                                                                                                          seemebestgoodluckthings.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                                                                                                          • 172.245.123.12
                                                                                                                                                                          PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                          • 172.245.123.12
                                                                                                                                                                          la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                          • 107.175.186.126
                                                                                                                                                                          m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                          • 107.174.8.80
                                                                                                                                                                          bot.x86_64.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                          • 107.175.32.137
                                                                                                                                                                          sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                          • 192.210.142.167
                                                                                                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSOder Request &Company profile.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 13.107.246.63
                                                                                                                                                                          0200011080.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                          Swiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 13.107.246.63
                                                                                                                                                                          Pagamento deposito e fattura proforma firmata.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 13.107.246.63
                                                                                                                                                                          PO# BBGR2411PO69.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                          phish_alert_sp2_2.0.0.0 (8).emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 52.109.28.46
                                                                                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                          • 13.107.246.63
                                                                                                                                                                          001.xlsGet hashmaliciousGet2DownloaderBrowse
                                                                                                                                                                          • 13.107.246.63
                                                                                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                          • 13.107.246.63
                                                                                                                                                                          I_ katya_gianotti@cuzziol_it password scadr#U00e0 oggi!.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 20.44.10.123
                                                                                                                                                                          ATOM86-ASATOM86NL0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                          • 178.237.33.50
                                                                                                                                                                          RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                          • 178.237.33.50

                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          a0e9f5d64349fb13191bc781f81f42e1Oder Request &Company profile.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 52.182.143.212
                                                                                                                                                                          0200011080.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 52.182.143.212
                                                                                                                                                                          Swiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 52.182.143.212
                                                                                                                                                                          Pagamento deposito e fattura proforma firmata.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 52.182.143.212
                                                                                                                                                                          PO# BBGR2411PO69.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 52.182.143.212
                                                                                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                          • 52.182.143.212
                                                                                                                                                                          001.xlsGet hashmaliciousGet2DownloaderBrowse
                                                                                                                                                                          • 52.182.143.212
                                                                                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                          • 52.182.143.212
                                                                                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                          • 52.182.143.212

                                                                                                                                                                          Dropped Files

                                                                                                                                                                          No context

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RNJBFdvJTXAE.exe_b8e4f3cb98fcbdf86a2bbd24c14d3f83ce3b313_6c3f1209_3a37f0f7-6fe9-4a98-91dd-ae9fdc8f4da6\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):1.0144466770691167
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:tywbhuI0BU/ojkZraHt2zuiFCZ24IO8o:MwbhujBU/ojizuiFCY4IO8o
                                                                                                                                                                          MD5:83907A86F8F629DDE7D8B3489830C020
                                                                                                                                                                          SHA1:36C472C2A0E84C9C3D35A6F01610316FA0FA437D
                                                                                                                                                                          SHA-256:F7702B8E35A4A8CBF36AAC87CEF4A59038F833DE0A55FCB087E89BF556F9F30B
                                                                                                                                                                          SHA-512:F6D366AEDC7EF68C80F5038E985B248EBF4E4C13EE521573517E5722EA7D06582C8CB8C37A13A0E071F053B445D0E2D1B21D6A97C288D76F352D0F77C30F9127
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.0.6.2.8.6.4.4.9.3.8.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.7.0.6.2.8.6.9.8.0.6.4.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.3.7.f.0.f.7.-.6.f.e.9.-.4.a.9.8.-.9.1.d.d.-.a.e.9.f.d.c.8.f.4.d.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.2.0.d.4.6.a.-.8.9.8.7.-.4.e.a.c.-.8.d.b.1.-.9.2.a.f.1.b.c.8.4.a.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.N.J.B.F.d.v.J.T.X.A.E...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.Y.O.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.b.8.-.0.0.0.1.-.0.0.1.4.-.3.6.e.5.-.e.a.3.9.8.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.e.d.a.6.8.c.a.7.e.9.2.b.c.2.f.1.9.6.0.9.2.1.0.3.2.7.8.c.b.5.0.0.0.0.0.0.0.0.!.0.0.0.0.7.6.7.d.3.2.6.3.7.1.a.5.e.8.b.3.e.3.c.8.5.d.5.a.8.7.d.3.e.9.2.8.3.6.4.b.0.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCF8.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 13:31:26 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):133938
                                                                                                                                                                          Entropy (8bit):1.8670631013390182
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:/WMZHwcd4ie5cNjO93zukbU3wSC7cTr4ege2N2mHfZUPfDy0xE7puyE16MJPcu:/W6H5eie54azuG0CATrqe29Axs+Pcu
                                                                                                                                                                          MD5:E7ECF373510B3A09428BEA335E691C1C
                                                                                                                                                                          SHA1:A1F99443B7540B7E4FC0293465854E6E192DEAEA
                                                                                                                                                                          SHA-256:546258A465FB03A67BF39E170338FC01F5875731C53A1CF8783A0F68A8B5CC0E
                                                                                                                                                                          SHA-512:6D670879747E5B381074296E72B9BA1553E27BC1A91E4C3306D3C7F0FA0273F664709A099EA786D6AA13CD77DA30CC929BFD9CC8D811381052F708497D7A452C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... .........Og............t...........|...|.......T...TR..........T.......8...........T...........0?...............!...........#..............................................................................eJ......|$......GenuineIntel............T...........w.Og............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE13.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6338
                                                                                                                                                                          Entropy (8bit):3.733641304894962
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:RSIU6o7wVetbqE6KCjYrQE/qpZKG5aM4Uw89bP6msfsi9Ym:R6l7wVeJqE6KmYrmH1prw89bCmsfvWm
                                                                                                                                                                          MD5:35F704A3E5A631AEFA0C924913B19B4E
                                                                                                                                                                          SHA1:6697290CEB8D678DDACA9CBB6BF38948583A5403
                                                                                                                                                                          SHA-256:4A56D22C178A9EC09EFBE4F9FDD945DE811A91E0AECCA220B26CA47887A94DBF
                                                                                                                                                                          SHA-512:F2B47530F224A00A8954E1745992CF53C21A82806886D85EF050EB428E40CE73FFFE315C9F7FDD8833885DE4E74DF6586C70EDD6EC1C2FB688325CAB4F32089D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.0.8.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE42.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4652
                                                                                                                                                                          Entropy (8bit):4.506804799240102
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsZm/Jg77aI9mpWpW8VYBYm8M4JIs55Fb+q87CFCh7f2Yjsjd:uIjf0hI7MY7VdJ1e7Jsjd
                                                                                                                                                                          MD5:DFCEDEA84E658FA68BBE084CEABA4186
                                                                                                                                                                          SHA1:899C14DF838BB404521D9F0FBF076A70026DC983
                                                                                                                                                                          SHA-256:65BED3BDCDAB9950AAB3FD9ADEF3990F302B2B172B81CAEC11CB8BAF2FE81A27
                                                                                                                                                                          SHA-512:6854B6262A3DB852270DA2F0EEFAD4387073F029872E547CC551730925CFA7AEC9B181F0ED90A5BC47F757ACCFAA14FF778FA8EFEB25B862D9E329EEC0E70C81
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615154" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\remcos\logs.dat

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):144
                                                                                                                                                                          Entropy (8bit):3.3544524354439966
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:rhlKlyKElNXld/lWfwlDl5JWRal2Jl+7R0DAlBG45klovDl6v:6lZMG4b5YcIeeDAlOWAv
                                                                                                                                                                          MD5:B244F70BB0BBE7AED1D36CFDFA80B531
                                                                                                                                                                          SHA1:3BC2FB926A031BAEA9F518E97784DDB0EF3327C5
                                                                                                                                                                          SHA-256:E8E0AB5CDCFB4308A96AAB30878AFCFFAA0E62CB69B624D950FEA5E593BC6588
                                                                                                                                                                          SHA-512:56F374B3C29965A1B756B293A2DBAE1F4B3C29FB6996C9AB4C9E7082471F7626CDBE64E4D992BDF84C44D634E8C54C7A9727FDE70E424E12A8BEEBAFFC276BE3
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Yara Hits:
                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                                                          Preview:....[.2.0.2.4./.1.2./.0.3. .0.8.:.2.8.:.2.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EIuz8Bk9kGav2ix.exe.log

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1216
                                                                                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RNJBFdvJTXAE.exe.log

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1216
                                                                                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):963
                                                                                                                                                                          Entropy (8bit):5.01340392779544
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:tkluJnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7x:qluNdbauKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                                                          MD5:353DFD85F7CEA1AE2618639F555626F7
                                                                                                                                                                          SHA1:C36E7929F2173540028FF62C87751E92F54B8F88
                                                                                                                                                                          SHA-256:039F79D984650F3758F43BCBDF012BD8D5BAF2EB27523CB08E725D6B84C50C71
                                                                                                                                                                          SHA-512:DB7EFA0B6BF72DE65167AB65882BCAA1B6CCFEE7252822CC0C43476D3C08AA3630082A9AEA26582D74AA559A69FA13283321B8924A10A74062DF4F661B8D3980
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2232
                                                                                                                                                                          Entropy (8bit):5.380805901110357
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
                                                                                                                                                                          MD5:16AD599332DD2FF94DA0787D71688B62
                                                                                                                                                                          SHA1:02F738694B02E84FFE3BAB7DE5709001823C6E40
                                                                                                                                                                          SHA-256:452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
                                                                                                                                                                          SHA-512:A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ni1xqvb.tdr.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pshxmjy.3cw.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqxp3eel.ijy.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cny4aufs.nq3.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsq5y5lx.bgq.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlseoxnz.mju.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5f3wgxo.x32.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjadrfdu.gdz.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\bhv4E69.tmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9e7f320f, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20447232
                                                                                                                                                                          Entropy (8bit):1.2827254752142379
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12288:A90eIG072K+OfvKDb2J+UU5cFRF7HdO9uF:3G33D++
                                                                                                                                                                          MD5:43FEA87E689F38FA0E7A902B6B619A8E
                                                                                                                                                                          SHA1:560936DD7CF83F5CE63264A5160F809FE8D9DA96
                                                                                                                                                                          SHA-256:1842A7B58DB462189FCE608BF1E38A6E46901565FEB398AB741B3ED99CCC67AD
                                                                                                                                                                          SHA-512:0A1364DD10755760C4054FDDDF784FC062888B24A0B2DA6B911F31EC75569962B4278C3291A0BC35EB5FCEFBEC786FEC491CB70A8B943B7D1792E7C07EB6B4BF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..2.... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;.................................V........{.....................N.....{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\bhv98D9.tmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9e7f320f, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20447232
                                                                                                                                                                          Entropy (8bit):1.2827254752142379
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12288:A90eIG072K+OfvKDb2J+UU5cFRF7HdO9uF:3G33D++
                                                                                                                                                                          MD5:43FEA87E689F38FA0E7A902B6B619A8E
                                                                                                                                                                          SHA1:560936DD7CF83F5CE63264A5160F809FE8D9DA96
                                                                                                                                                                          SHA-256:1842A7B58DB462189FCE608BF1E38A6E46901565FEB398AB741B3ED99CCC67AD
                                                                                                                                                                          SHA-512:0A1364DD10755760C4054FDDDF784FC062888B24A0B2DA6B911F31EC75569962B4278C3291A0BC35EB5FCEFBEC786FEC491CB70A8B943B7D1792E7C07EB6B4BF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..2.... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;.................................V........{.....................N.....{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\ookoxwnotn

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2
                                                                                                                                                                          Entropy (8bit):1.0
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Qn:Qn
                                                                                                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp4D69.tmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1578
                                                                                                                                                                          Entropy (8bit):5.120698209241966
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta3xxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTCv
                                                                                                                                                                          MD5:A1932634DA799932DBA3E7CF294848E3
                                                                                                                                                                          SHA1:B27E57418BBB9F91C8B4B4A92F36DA1104CF4959
                                                                                                                                                                          SHA-256:EDB81CE92C19118254307AB56041599B5E5671104ACB570D9007F5F8C11C4999
                                                                                                                                                                          SHA-512:F335C995B5322D978287AEA4EEF3AB500642448A84C39D35DCA16820BB0F18E1DD3ECEFBA8D34E011AE26E63092D0CBBAA2D7749F5F4AFD30FECAD0CAEB4728B
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp6853.tmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1578
                                                                                                                                                                          Entropy (8bit):5.120698209241966
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta3xxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTCv
                                                                                                                                                                          MD5:A1932634DA799932DBA3E7CF294848E3
                                                                                                                                                                          SHA1:B27E57418BBB9F91C8B4B4A92F36DA1104CF4959
                                                                                                                                                                          SHA-256:EDB81CE92C19118254307AB56041599B5E5671104ACB570D9007F5F8C11C4999
                                                                                                                                                                          SHA-512:F335C995B5322D978287AEA4EEF3AB500642448A84C39D35DCA16820BB0F18E1DD3ECEFBA8D34E011AE26E63092D0CBBAA2D7749F5F4AFD30FECAD0CAEB4728B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tplymmqtvomskscmxqb

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2
                                                                                                                                                                          Entropy (8bit):1.0
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Qn:Qn
                                                                                                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..

                                                                                                                                                                          C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1026560
                                                                                                                                                                          Entropy (8bit):7.847186590980493
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24576:50IeeyMLvMqxTE1am3NbYPu5xQBhlbeaI:WBek2TAam9SuxQBhT
                                                                                                                                                                          MD5:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          SHA1:767D326371A5E8B3E3C85D5A87D3E928364B0E20
                                                                                                                                                                          SHA-256:123D60E73EF07B75F285D67DE12C69137304E6932415B20D76432914F3E15E1C
                                                                                                                                                                          SHA-512:77BCFF731628C92D6A1888DB1E05D6BC531607F0FB06F6C735AC8D46A9993BAC03BA32461FC461DEDCF4E7A3C786A300D981AB0362E92DB2CB55453DD65405A6
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ng..............0..X...P.......w... ........@.. ....................................@..................................w..W........L........................................................................... ............... ..H............text....W... ...X.................. ..`.rsrc....L.......N...Z..............@..@.reloc..............................@..B.................w......H.......................0....\...........................................(.9...K...]...{....GwL.+@C.nw...........'...A.w..2...b..S...."w.............r.......1n..b.8......D;j.....-./;...r.+.Q.| ..I...7..#U...V.;....-..[..F.7...c......)..0{S.....).[.....1h..H.. ...../m..:9b..#E..-cz.....z....g.e6..........r.^+..W}.r..,VD..._.gvh...>Q..~V...l.V..lei...E...&.w..^n.K~\6.....:H.._...)....5...3~_..o[..#...~=.....FkP..g..X0..~\6.....:H.0..........(....*...0..

                                                                                                                                                                          C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe:Zone.Identifier

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                          Entropy (8bit):7.847186590980493
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                          File name:EIuz8Bk9kGav2ix.exe
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5:2e69c1a7d2a987f925aaad945c2ce2b2
                                                                                                                                                                          SHA1:767d326371a5e8b3e3c85d5a87d3e928364b0e20
                                                                                                                                                                          SHA256:123d60e73ef07b75f285d67de12c69137304e6932415b20d76432914f3e15e1c
                                                                                                                                                                          SHA512:77bcff731628c92d6a1888db1e05d6bc531607f0fb06f6c735ac8d46a9993bac03ba32461fc461dedcf4e7a3c786a300d981ab0362e92db2cb55453dd65405a6
                                                                                                                                                                          SSDEEP:24576:50IeeyMLvMqxTE1am3NbYPu5xQBhlbeaI:WBek2TAam9SuxQBhT
                                                                                                                                                                          TLSH:F225028C7601F54FC903D6358EB4FD74A6286EAA9306931399D71DEFBC1D896CE041E2
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ng..............0..X...P.......w... ........@.. ....................................@................................

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:033424c4c199d839

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x4f77de
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x674E9BA9 [Tue Dec 3 05:48:25 2024 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:4
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xf77840x57.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x4ca8.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x20000xf57e40xf5800440f1bb11879791368bb6d198bb44639False0.9288223173370672data7.849661313574739IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rsrc0xf80000x4ca80x4e006a40b07e7ddf652534e254ce96180634False0.9410056089743589data7.769009453578577IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .reloc0xfe0000xc0x200f45f3bda8a8a4fafa5558822c10491d2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_ICON0xf81300x46f9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9932852661126094
                                                                                                                                                                          RT_GROUP_ICON0xfc82c0x14data1.05
                                                                                                                                                                          RT_VERSION0xfc8400x278data0.47151898734177217
                                                                                                                                                                          RT_MANIFEST0xfcab80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                          2024-12-03T14:28:25.483600+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449735192.3.64.1522559TCP
                                                                                                                                                                          2024-12-03T14:28:28.203361+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449736178.237.33.5080TCP
                                                                                                                                                                          2024-12-03T14:28:37.686765+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449742192.3.64.1522559TCP
                                                                                                                                                                          2024-12-03T14:28:37.999305+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449743192.3.64.1522559TCP
                                                                                                                                                                          2024-12-03T14:28:48.280568+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449745192.3.64.1522559TCP
                                                                                                                                                                          2024-12-03T14:30:20.906039+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449879192.3.64.1522559TCP
                                                                                                                                                                          2024-12-03T14:30:21.202946+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449881192.3.64.1522559TCP
                                                                                                                                                                          2024-12-03T14:30:40.343612+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449923192.3.64.1522559TCP
                                                                                                                                                                          2024-12-03T14:31:50.569856+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.45002552.182.143.212443TCP

                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                          TCP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Dec 3, 2024 14:28:23.995265007 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:24.115360022 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:24.115483046 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:24.121068954 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:24.241077900 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:25.432729959 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:25.483599901 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:25.685151100 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:25.692341089 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:25.812259912 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:25.812351942 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:25.932424068 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:26.229398966 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:26.230585098 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:26.354031086 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:26.456990957 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:26.499175072 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:26.780653954 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:28:26.900583982 CET8049736178.237.33.50192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:26.900659084 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:28:26.900859118 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:28:27.020941973 CET8049736178.237.33.50192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:28.203247070 CET8049736178.237.33.50192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:28.203361034 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:28:28.259443998 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:28.379519939 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:29.204118967 CET8049736178.237.33.50192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:29.204216003 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:28:29.452739954 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:29.454092979 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:29.574285984 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:36.130346060 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:36.131961107 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:36.171154976 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:36.413147926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:36.414176941 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:36.421077013 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:36.492492914 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:36.496782064 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:36.541024923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:36.546144962 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:36.629858971 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:36.629976988 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:36.635977030 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:36.756143093 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:37.641614914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:37.686764956 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:37.870503902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:37.887139082 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:37.951013088 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:37.999305010 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.007484913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.007841110 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.128376007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.205108881 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.248753071 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.357752085 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.368781090 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.368851900 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.478703022 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.478777885 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.478790045 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.478795052 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.478820086 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.478847980 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.478857040 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.478857040 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.478878021 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.478887081 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.478895903 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.478898048 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.478913069 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.478914976 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.478936911 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:38.488990068 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.599189043 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.599214077 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.599220991 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.599257946 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.599441051 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.599606991 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.599617004 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.599664927 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.600069046 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:38.969367027 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:39.089531898 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.358239889 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.402326107 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:39.404016972 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:39.522631884 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.522646904 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.522702932 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.522794962 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.522803068 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.522806883 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.522891998 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.522901058 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.522954941 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.523051023 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.523060083 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.523067951 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.523109913 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.523118973 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.524041891 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.524050951 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.524182081 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.524256945 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.524265051 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.524359941 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:39.984110117 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:40.104218960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.375396967 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.417818069 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:40.419401884 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:40.538898945 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.538943052 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.538957119 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.538980007 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.538990974 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.538995028 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.538999081 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.539016962 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.539062023 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.539156914 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.539165974 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.539202929 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.539212942 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.539268017 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540124893 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540222883 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540230989 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540237904 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540282965 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540291071 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540307999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540316105 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540352106 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:40.540374994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.038654089 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:41.158821106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.430592060 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.481367111 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:41.482938051 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:41.601804972 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.601821899 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.601855040 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.601876974 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.601967096 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.602015972 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.602097988 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.602107048 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.602180958 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.602190018 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.602274895 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.602333069 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.602438927 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.602447987 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603092909 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603111982 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603301048 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603408098 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603416920 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603446007 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603456020 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603468895 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603507042 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:41.603516102 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.046632051 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:42.167427063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.435096979 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.480654001 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:42.482289076 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:42.600739956 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.600755930 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.600768089 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.600825071 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.600905895 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.600950003 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.601042032 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.601052046 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.601125956 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.601135015 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.601210117 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.601218939 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.601320982 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.601334095 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602181911 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602385044 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602394104 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602478981 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602488995 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602570057 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602580070 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602706909 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602724075 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:42.602797985 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.062205076 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:43.182240009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.449944973 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.484158993 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:43.486213923 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:43.604377031 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.604423046 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.604583979 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.604621887 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.604768991 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.604779005 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.604860067 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.604892015 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.604963064 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.604980946 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.605058908 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.605106115 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.605175972 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.605292082 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606296062 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606317997 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606457949 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606494904 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606590986 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606631994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606728077 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606772900 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606841087 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:43.606940031 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.077698946 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:44.198074102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.465626001 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.512490034 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:44.514117956 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:44.632967949 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.632987022 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633006096 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633016109 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633090973 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633100033 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633209944 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633219957 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633280993 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633304119 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633407116 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633416891 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633454084 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.633512020 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634200096 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634288073 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634335995 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634449959 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634459972 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634469032 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634478092 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634499073 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634506941 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:44.634553909 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.093674898 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:45.213656902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.480442047 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.530643940 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:45.543368101 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:45.545074940 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:45.663558960 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.663624048 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.663660049 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.663763046 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.663858891 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.663867950 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.663959980 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.663969040 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.664057016 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.664064884 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.664136887 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.664185047 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.664192915 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.664202929 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665121078 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665129900 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665251017 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665258884 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665404081 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665416002 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665529966 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665539026 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665687084 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:45.665694952 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.111376047 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:46.231874943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.499269009 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.546241045 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:46.569583893 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:46.571584940 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:46.826597929 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826615095 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826623917 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826628923 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826637030 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826651096 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826661110 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826669931 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826678991 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826687098 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826700926 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826709986 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826718092 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826726913 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826735973 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826745033 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826752901 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826761961 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826765060 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826769114 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826771975 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826775074 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826778889 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826787949 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.826800108 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.828309059 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:46.874327898 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:46.950722933 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:46.950853109 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:46.954457998 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:47.074448109 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.124903917 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:47.245600939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.513945103 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.558439970 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:47.560034037 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:47.678817034 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.678852081 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.678910017 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.678920031 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.678956032 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.678992987 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.679085016 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.679095984 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.679141998 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.679152012 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.679266930 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.679276943 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.679289103 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.679328918 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.679991007 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.680017948 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.680067062 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.680133104 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.680176973 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.680187941 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.680269003 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.680289030 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.680310965 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:47.680408001 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.140305042 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:48.216581106 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.260374069 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.280567884 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:48.459928989 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.512350082 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:48.529505968 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.577462912 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:48.632394075 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.632541895 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:48.706855059 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:48.715363026 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:48.752495050 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827141047 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827158928 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827169895 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827302933 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827310085 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827323914 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827395916 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827415943 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827474117 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827500105 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827584982 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827601910 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827723026 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.827739954 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835489988 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835520983 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835597992 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835608006 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835661888 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835669041 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835721016 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835741997 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835905075 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:48.835915089 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.031547070 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.031594038 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.031605005 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.031723976 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.031735897 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.031784058 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.031874895 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.031891108 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.031936884 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.032105923 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.032124996 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.032170057 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.034786940 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.034856081 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.034904957 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.043330908 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.043379068 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.043445110 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.151765108 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.155777931 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.202469110 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.232541084 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.232673883 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.232762098 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.236498117 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.238020897 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.238091946 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.238163948 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.245748997 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.245806932 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.245831966 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.253314972 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.253388882 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.253417015 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.260922909 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.261003017 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.261034966 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.268794060 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.268867016 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.268867970 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.276089907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.276307106 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.276360035 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.276416063 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.284133911 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.284209013 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.284209967 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.291928053 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.292001009 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.292011976 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.299474001 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.299565077 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.299575090 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.307173967 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.307225943 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.307255983 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.322482109 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.322590113 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.322604895 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.374572992 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.433937073 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.434011936 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.434067011 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.437766075 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.439246893 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.439301014 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.439301014 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.446854115 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.446902037 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.446955919 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.455276012 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.455327988 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.455332994 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.462325096 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.462387085 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.462420940 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.467212915 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.467264891 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.467298031 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.472115040 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.472170115 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.472199917 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.477215052 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.477261066 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.477281094 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.482088089 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.482132912 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.482173920 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.487168074 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.487220049 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.487268925 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.492129087 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.492187977 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.492223978 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.497051001 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.497123003 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.497152090 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.502082109 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.502140999 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.502150059 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.506989956 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.507050991 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.507173061 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.511878967 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.511928082 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.511996984 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.516623020 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.516685009 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.516724110 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.521541119 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.521600008 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.521670103 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.526281118 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.526334047 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.526341915 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.531076908 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.531131029 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.531251907 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.535928965 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.535989046 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.536020041 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.544416904 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.554117918 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.554145098 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.554183960 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.556515932 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.556557894 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.556648970 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.561407089 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.561459064 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.561461926 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.566235065 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.566309929 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.566342115 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.590320110 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.591978073 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.608711958 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.641741991 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.641844034 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.641994953 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.643685102 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.643767118 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.643824100 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.647937059 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.647986889 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.648056030 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.652149916 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.652249098 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.652302027 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.656284094 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.656371117 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.656423092 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.660470009 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.660485029 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.660554886 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.664071083 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.664181948 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.664251089 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.667984009 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.668080091 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.668150902 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.671915054 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.672077894 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.672158003 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.675254107 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.675340891 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.675385952 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.679059029 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.679089069 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.679142952 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.682725906 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.682818890 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.682874918 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.684807062 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.684926033 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.684974909 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.686885118 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.686995983 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.687047005 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.688918114 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.688980103 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.689068079 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.690948963 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.691205025 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.691551924 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.693032980 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.693099976 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.693152905 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.694979906 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.695071936 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.695125103 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.697006941 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.697056055 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.697098970 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.699028015 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.699088097 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.699131012 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.701103926 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.701154947 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.701209068 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.703105927 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.703310013 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.703363895 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.706183910 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.706197023 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.706243038 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.707367897 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.707413912 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.707470894 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.709647894 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.709822893 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.709906101 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.710948944 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711114883 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711126089 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711216927 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711227894 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711236954 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711374998 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711384058 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711539030 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711550951 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711698055 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711708069 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711715937 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711724997 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711734056 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.711741924 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.711843967 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712369919 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712383986 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712452888 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712462902 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712507963 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712573051 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712615013 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712624073 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712949038 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.712959051 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.713474035 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.713648081 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.713701963 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.715310097 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.715475082 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.715528965 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.717650890 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.717793941 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.717853069 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.719496012 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.719640017 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.719692945 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.721427917 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.721446037 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.721499920 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.723292112 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.723385096 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.723448992 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.725444078 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.725461006 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.725522995 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.727447987 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.727619886 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.727675915 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.729280949 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.780615091 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.836292028 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.836484909 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.836616039 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.837083101 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.837434053 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.837516069 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.837567091 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.839276075 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.839386940 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.839445114 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.841157913 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.841216087 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.841253042 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.843123913 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.843169928 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.843224049 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.845077038 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.845129013 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.845160007 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.847055912 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.847162008 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.847222090 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.849195004 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.849248886 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.849319935 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.851003885 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.851067066 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.851125002 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.852576017 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.852618933 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.852653027 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.854173899 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.854286909 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.854310989 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.855850935 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.855894089 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.855948925 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.857287884 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.857342958 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.857498884 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.858829975 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.858879089 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.858968019 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.860280991 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.860342979 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.860358000 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.862016916 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.862201929 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.862262011 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.863909960 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.863959074 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.864109993 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.866046906 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.866081953 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.866133928 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.866719961 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.866766930 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.866800070 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.868139029 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.868154049 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.868205070 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.869640112 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.869709969 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.869739056 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.871256113 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.871440887 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.871495008 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.872858047 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.872910023 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.872967958 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.874511957 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.874766111 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.874855042 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.876179934 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.876229048 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.876235962 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.877866983 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.877986908 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.878032923 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.879451990 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.879523039 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.879576921 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.881023884 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.881064892 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.881136894 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.882714987 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.882796049 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.882846117 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.884862900 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.884917021 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.885059118 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.886499882 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.886532068 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.886590004 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.888027906 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.888072968 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.888212919 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.890156031 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.890331984 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.890397072 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.891840935 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.891947031 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.891973019 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.893455029 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.893556118 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.893611908 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.895144939 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.895258904 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.895318985 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.896617889 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.896667957 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.896722078 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.898251057 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.898384094 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.898428917 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.899843931 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.899885893 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.899971008 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.901325941 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.901422024 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.901464939 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.903109074 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.903152943 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.903204918 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.904881001 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.904928923 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.904953957 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.906822920 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.907004118 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.907052994 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.908910036 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.908965111 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.908993959 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.910567045 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.910676956 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.910722017 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.911839008 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.911885023 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.911962032 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.913192034 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.913280010 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.913322926 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.914560080 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.914582014 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.914635897 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.915930033 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.915980101 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:49.915982008 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.917444944 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.917496920 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:49.917545080 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.037549973 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.037704945 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.037760019 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.038216114 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.038347960 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.038501978 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.039479971 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.039589882 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.040879965 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.040916920 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.041042089 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.041086912 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.042136908 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.042253971 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.042294979 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.043409109 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.043483019 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.043525934 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.044723034 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.044826031 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.044970989 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.046030998 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.046142101 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.046181917 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.047301054 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.047419071 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.047465086 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.048659086 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.048717976 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.049935102 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.049988985 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.049990892 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.050030947 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.051229000 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.051307917 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.051393986 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.052525043 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.052583933 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.052885056 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.053853989 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.053958893 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.054004908 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.055154085 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.055253029 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.055299044 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.056423903 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.056508064 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.057729006 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.057761908 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.057895899 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.058192968 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.059041023 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.059236050 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.059289932 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.060362101 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.060524940 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.060575008 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.061662912 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.061781883 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.061826944 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.062927961 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.063026905 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.063067913 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.064266920 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.064412117 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.065520048 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.065565109 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.065628052 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.065660954 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.066838980 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.066934109 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.067011118 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.068226099 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.068289995 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.068356991 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.069547892 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.069740057 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.069823027 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.070944071 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.071074009 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.071118116 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.072305918 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.072593927 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.072643042 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.073520899 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.073590040 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.073873997 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.074640989 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.074788094 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.075144053 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.075927973 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.076097012 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.076133013 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.077228069 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.077339888 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.077400923 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.078527927 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.078633070 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.078676939 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.079849005 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.079973936 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.080025911 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.081543922 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.081741095 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.081893921 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.083055019 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.083170891 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.083216906 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.084300041 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.084372044 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.084804058 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.085299015 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.085320950 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.085366964 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.086354971 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.086543083 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.086601019 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.087652922 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.087762117 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.087812901 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.088982105 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.089044094 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.089647055 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.090254068 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.090358973 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.090437889 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.091545105 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.091670036 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.091788054 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.092885971 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.092995882 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.093061924 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.094166040 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.094244957 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.094283104 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.095469952 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.095555067 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.096596003 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.096760988 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.096817970 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.096923113 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.098067045 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.098223925 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.098275900 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.099364996 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.099447012 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.099495888 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.100713015 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.100796938 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.100832939 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.101974964 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.102101088 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.102144957 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.103221893 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.103346109 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.103379011 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.104558945 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.104657888 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.105047941 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.105808973 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.155580997 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.171536922 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.240134001 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.240286112 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.240662098 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.240717888 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.240763903 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.240798950 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.241868019 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.242332935 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.242372036 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.242372036 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.243566036 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.243609905 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.243684053 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.244875908 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.244927883 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.244988918 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.246062994 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.246090889 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.246109962 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.247302055 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.247344017 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.247488976 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.248627901 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.248739958 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.248779058 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.249882936 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.249929905 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.250015020 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.251244068 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.251291037 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.251349926 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.252863884 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.252908945 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.252917051 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.254152060 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.254209995 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.254297018 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.255414963 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.255459070 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.255495071 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.256808043 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.256858110 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.256933928 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.258100033 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.258238077 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.258274078 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.259287119 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.259327888 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.259401083 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.260457039 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.260499001 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.260512114 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.261352062 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.261404037 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.261437893 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.262305021 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.262346983 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.262407064 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.263396978 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.263453007 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.263480902 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.264739990 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.264854908 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.264923096 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.265862942 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.265913963 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.291933060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.561615944 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.606636047 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.608261108 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:50.729582071 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.729598999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.729741096 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.729752064 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.729964972 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.729974031 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.730010033 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.730876923 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.730923891 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.730976105 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731070995 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731153965 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731247902 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731256962 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731618881 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731681108 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731690884 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731698990 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731762886 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731770992 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.731834888 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.732050896 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.732059956 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:50.732100010 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.255680084 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:51.376207113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.645737886 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.686853886 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:51.720463037 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:51.722354889 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:51.840534925 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.840548992 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.840661049 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.840735912 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.840846062 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.840857029 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.841003895 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.841013908 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.841079950 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.841089010 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.841145039 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.841156006 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.841234922 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.841279984 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.842605114 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.842616081 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.842734098 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.842822075 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.842864037 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.842875004 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.842999935 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.843040943 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.843156099 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:51.843166113 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.101814032 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:52.222269058 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.222320080 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.222383022 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:52.222426891 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.222435951 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.222438097 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:52.222470045 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:52.222506046 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.222516060 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.222639084 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.222647905 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.222657919 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.222683907 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.265233040 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:52.342653990 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.342700005 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.342816114 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.342889071 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.343019962 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.343092918 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.343748093 CET255949745192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.343816996 CET497452559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:52.385298967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.657203913 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.702493906 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:52.715038061 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:52.716587067 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:52.835302114 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835324049 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835424900 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835434914 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835515976 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835613966 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835624933 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835680008 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835756063 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835766077 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835848093 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835858107 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835900068 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.835979939 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.836596012 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.836657047 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.836800098 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.836810112 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.836863995 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.836921930 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.836982965 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.837052107 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.837097883 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:52.837106943 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.281100988 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:53.401089907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.672045946 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.718116999 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:53.731564045 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:53.733089924 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:53.852138042 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852154970 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852384090 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852392912 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852432966 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852442026 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852516890 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852535963 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852605104 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852613926 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852718115 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852726936 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852806091 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.852844000 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853369951 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853394985 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853594065 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853612900 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853669882 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853709936 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853801012 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853852034 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853952885 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:53.853961945 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:54.567241907 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:54.687892914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:54.968030930 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.013257980 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:55.015005112 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:55.133585930 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133599043 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133649111 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133698940 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133708954 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133764982 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133785009 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133793116 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133877993 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133884907 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133933067 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.133949041 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.134016037 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.134032011 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135072947 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135121107 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135171890 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135180950 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135268927 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135277033 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135349989 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135365963 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135555983 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.135562897 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.577722073 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:55.697757006 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:55.969716072 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.012073040 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:56.013685942 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:56.132339954 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132352114 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132368088 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132375956 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132489920 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132498026 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132585049 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132591963 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132647038 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132653952 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132757902 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132766008 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132860899 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.132869005 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.133850098 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.133898973 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.133907080 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.133915901 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.133923054 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.133976936 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.133996010 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.134140968 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.134149075 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.134249926 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.593535900 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:56.725676060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:56.997621059 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.043397903 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:57.045090914 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:57.163614035 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.163630962 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.163641930 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.163662910 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.163691044 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.163733959 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.163832903 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.163842916 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.163882017 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.163937092 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.164016008 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.164033890 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.164087057 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.164124966 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165312052 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165321112 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165743113 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165770054 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165781021 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165792942 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165802956 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165812969 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165822029 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.165826082 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.609116077 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:57.733023882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:57.996839046 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.030220985 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:58.032092094 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:58.150463104 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150487900 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150497913 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150511980 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150604010 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150613070 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150650978 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150659084 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150743961 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150763035 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150772095 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150832891 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150844097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.150868893 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.152159929 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.152170897 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.152276993 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.152388096 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.152518034 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.152626991 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:58.624692917 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:58.744721889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.012473106 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.061916113 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:59.071352959 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:59.072873116 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:59.191759109 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.191898108 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192050934 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192065954 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192188978 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192198992 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192347050 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192356110 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192363977 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192500114 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192508936 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192517996 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192655087 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.192662954 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.193414927 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.193437099 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.193713903 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.193875074 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.194035053 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.194042921 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.496205091 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.497421026 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:59.617434025 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:28:59.640322924 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:28:59.760363102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.035644054 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.077518940 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:00.090101004 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:00.091759920 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:00.210267067 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210297108 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210331917 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210378885 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210480928 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210490942 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210587025 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210594893 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210664988 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210706949 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210750103 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210757971 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210824966 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.210983992 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.211827040 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.211950064 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.212076902 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.212141037 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.212244034 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.212325096 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:00.659070969 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:00.779288054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.047307014 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.093173027 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:01.105721951 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:01.107295990 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:01.226038933 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226058960 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226083994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226097107 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226196051 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226221085 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226304054 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226352930 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226439953 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226464033 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226540089 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226552963 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226607084 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.226619959 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.227365971 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.227494001 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.227519989 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.227706909 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.227844000 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.227900028 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:01.671561956 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:01.791547060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.067907095 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.108798027 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:02.110907078 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:02.112561941 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:02.231420994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.231451035 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.231570959 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.231607914 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.231826067 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.231833935 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.231906891 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.231915951 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.231993914 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.232001066 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.232119083 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.232136011 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.232259989 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.232275009 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.232736111 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.232781887 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.232861996 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.233009100 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.233175993 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:02.687350988 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:02.807444096 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.078751087 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.124526978 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:03.129720926 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:03.131306887 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:03.250040054 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250082016 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250221014 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250231028 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250312090 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250322104 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250399113 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250418901 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250529051 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250538111 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250634909 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250643969 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250739098 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.250747919 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.251559019 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.251674891 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.251684904 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.251801014 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.251897097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.251916885 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:03.702801943 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:03.822751999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.092045069 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.137478113 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:04.139147997 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:04.257539988 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.257592916 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.257714033 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.257721901 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.257775068 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.257812023 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.257900000 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.257909060 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.258014917 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.258023977 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.258133888 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.258141994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.258297920 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.258306980 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.259478092 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.259489059 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.259768963 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.259777069 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.259879112 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.259887934 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:04.718436003 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:04.838742018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.129090071 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.171294928 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:05.212941885 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:05.214713097 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:05.481355906 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481369972 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481379032 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481383085 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481386900 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481395006 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481404066 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481412888 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481420994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481429100 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481437922 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481446028 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481455088 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481465101 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481475115 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.481482983 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.524123907 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.524141073 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.524149895 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.524154902 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:05.734158039 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:05.855539083 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.124123096 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.170043945 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:06.171818972 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:06.291506052 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291529894 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291702032 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291712999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291750908 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291760921 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291806936 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291815996 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291903973 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291913986 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291954994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.291975975 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.292035103 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.292073965 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.292783022 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.292833090 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.292896986 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.292992115 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.293030024 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.293064117 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:06.749835968 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:06.870028019 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.140672922 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.183624983 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:07.185189009 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:07.304085016 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304097891 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304213047 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304222107 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304347992 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304394960 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304606915 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304615974 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304666996 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304721117 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304785967 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304851055 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.304944992 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.305002928 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.305228949 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.305274963 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.305440903 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.305577040 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.305716038 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.305897951 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:07.765790939 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:07.885876894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.156389952 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.200866938 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:08.202631950 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:08.321024895 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321059942 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321249008 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321259022 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321353912 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321400881 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321444988 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321501017 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321630001 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321676970 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321777105 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321813107 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321919918 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.321929932 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.322649002 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.322751999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.322767019 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.322846889 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.322905064 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.322990894 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.592617035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.592905998 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:08.602603912 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.602709055 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:08.602785110 CET497432559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:08.722821951 CET255949743192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:08.781239986 CET497422559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:08.901170015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:29.508433104 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:29.513251066 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:29.633286953 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:59.537548065 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:29:59.542366028 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:29:59.662599087 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:16.499929905 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:30:16.812249899 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:30:17.515398026 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:30:18.812333107 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:30:19.452299118 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:19.454088926 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:19.516232967 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:19.574259043 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:19.574503899 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:19.580229044 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:19.662727118 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:19.668245077 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:19.700129032 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:19.788271904 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:19.788496971 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:19.791851997 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:19.812346935 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:19.911750078 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:20.793946981 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:20.906039000 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.030985117 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.038795948 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.058815002 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.158788919 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.166733980 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.202945948 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.287514925 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.300275087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.305213928 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.314315081 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:30:21.342008114 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.426259995 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.428431988 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.462011099 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.462357998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.462368965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.462490082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.462527037 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.462630987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.462641001 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.462652922 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.462701082 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.462726116 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.462735891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.462763071 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:21.548389912 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.583863020 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.583887100 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.583956957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.583967924 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.584023952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.584306002 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.584356070 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:21.584364891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.047101021 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:22.167717934 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.430707932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.467140913 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:22.468997955 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:22.587740898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.587758064 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.587780952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.587805033 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.587924957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.587987900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.588087082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.588098049 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.588212967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.588274956 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.588366032 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.588430882 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.588521957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.588589907 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.589023113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.589034081 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.589157104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.589277983 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.589320898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:22.589369059 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.062644958 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:23.182704926 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.443831921 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.514674902 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:23.516320944 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:23.634938002 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.634953976 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.634983063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.634991884 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635062933 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635085106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635154963 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635201931 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635253906 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635318041 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635350943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635407925 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635453939 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.635515928 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636379004 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636440039 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636508942 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636578083 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636589050 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636599064 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636657953 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636698961 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636776924 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:23.636789083 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.078258038 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:24.198395014 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.457132101 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.497798920 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:24.499336958 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:24.618488073 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.618520021 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.618652105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.618665934 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.618707895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.618757963 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.618792057 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.618840933 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.618920088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.618932009 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619055986 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619065046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619134903 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619193077 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619364977 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619451046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619491100 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619590998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619601011 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619719982 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619729996 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619791985 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619801998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:24.619843960 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.095212936 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:25.215578079 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.474651098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.515418053 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:25.629942894 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:25.632297039 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:25.750230074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750247955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750267029 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750286102 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750308037 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750315905 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750394106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750415087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750485897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750509024 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750607967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750617981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750696898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.750719070 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752284050 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752324104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752377987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752399921 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752484083 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752528906 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752558947 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752618074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752701044 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:25.752743006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.109841108 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:26.209517956 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:30:26.230156898 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.489279985 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.530505896 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:26.532241106 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:26.650913954 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.650932074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.650943041 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.650975943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651050091 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651072025 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651145935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651204109 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651309013 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651328087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651366949 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651530027 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651544094 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.651635885 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652385950 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652395964 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652412891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652421951 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652503967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652523041 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652604103 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652626991 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652704000 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:26.652719975 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.125417948 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:27.246243954 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.504209995 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.547748089 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:27.549612999 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:27.667695999 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.667809010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.667867899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.667956114 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.667982101 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.668035984 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.668092012 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.668195963 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.668210983 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.668246984 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.668271065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.668380976 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.668392897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.668471098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.669627905 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.669676065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.669735909 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.669771910 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.669867992 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.669878960 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.669939995 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.669989109 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.670126915 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:27.670198917 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.155950069 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:28.275988102 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.535223007 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.621438980 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:28.623462915 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:28.742301941 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742316961 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742420912 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742436886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742446899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742460966 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742561102 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742571115 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742580891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742584944 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742717981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742732048 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742739916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.742872000 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744147062 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744155884 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744256020 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744438887 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744452953 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744600058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744609118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744714975 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744724989 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:28.744877100 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.172200918 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:29.292459965 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.558366060 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.568353891 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.569488049 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:29.606810093 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:29.608334064 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:29.689492941 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.727766991 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.727854967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.727864981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.727878094 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.727886915 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.727895975 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.727952957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.727962017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728065014 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728126049 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728224039 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728259087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728337049 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728348970 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728735924 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728784084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728821993 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728852034 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728986979 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.728996038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.729039907 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.729051113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.729091883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:29.729104042 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.187747955 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:30.307753086 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.594739914 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.654747963 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:30.656634092 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:30.774843931 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.774902105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.774919033 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775031090 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775041103 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775197029 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775207996 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775293112 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775304079 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775365114 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775373936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775420904 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775430918 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.775471926 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.776652098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.776741028 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.776762962 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.776828051 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.776837111 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.776936054 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.776949883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.777025938 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.777071953 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:30.777110100 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.203432083 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:31.324209929 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.583048105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.623239994 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:31.624819994 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:31.743581057 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.743618965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.743691921 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.743725061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.743868113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.743889093 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.744028091 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.744048119 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.744148970 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.744163990 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.744263887 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.744272947 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.744292974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.744323969 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745006084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745095015 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745156050 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745167017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745191097 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745202065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745245934 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745273113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745378017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:31.745388031 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.218990088 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:32.338962078 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.605340958 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.639039040 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:32.640693903 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:32.829823971 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829837084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829845905 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829854965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829863071 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829871893 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829879999 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829889059 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829896927 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829905987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829915047 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829924107 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829932928 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829942942 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829952955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829961061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829968929 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829978943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829988956 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.829997063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.830004930 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.830013037 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.830022097 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:32.830029964 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.234740019 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:33.354947090 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.612481117 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.654324055 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:33.655941963 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:33.774518013 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.774537086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.774636984 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.774651051 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.774713039 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.774723053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.774766922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.774822950 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.774849892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.774912119 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.775013924 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.775034904 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.775118113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.775161982 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.775970936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.775985003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.776097059 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.776122093 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.776245117 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.776256084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.776278019 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.776320934 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.776376963 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:33.776386976 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.250062943 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:34.370119095 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.630018950 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.668659925 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:34.670269966 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:34.788772106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.788788080 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.788861036 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.788871050 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.788903952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.788979053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.789028883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.789043903 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.789155006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.789213896 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.789225101 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.789360046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.789535046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.789546967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790306091 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790467978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790482044 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790491104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790498972 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790602922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790616989 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790626049 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790633917 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:34.790735006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.265793085 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:35.385662079 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.651282072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.689671040 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:35.689718962 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:35.691490889 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:35.809835911 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.809890985 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810190916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810203075 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810211897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810220957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810329914 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810340881 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810353041 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810364008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810457945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810468912 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810657978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.810874939 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.811501980 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.811553001 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.811666012 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.811714888 CET4973680192.168.2.4178.237.33.50
                                                                                                                                                                          Dec 3, 2024 14:30:35.811775923 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.811785936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.811796904 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.811878920 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.811889887 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.812105894 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:35.812257051 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.281935930 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:36.401992083 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.665226936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.718461990 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:36.722711086 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:36.838440895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.838567019 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.838622093 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839020014 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839035988 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839045048 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839052916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839061975 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839070082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839078903 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839087009 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839096069 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839103937 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.839112043 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.842834949 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.842845917 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.843105078 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.843116045 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.843234062 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.843245029 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.843354940 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.843375921 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.843523026 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:36.843538046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:37.476882935 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:37.597410917 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:37.855987072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:37.888902903 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:37.890454054 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:38.009160042 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009176016 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009185076 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009193897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009228945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009283066 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009372950 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009414911 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009484053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009500980 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009623051 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009632111 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009732008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.009741068 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.010380030 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.010544062 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.010552883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.010656118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.010689020 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.011149883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.011159897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.011168003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.011176109 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.011184931 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.484766006 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:38.605603933 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.723512888 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.724929094 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:38.812386990 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:38.844891071 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.845050097 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:38.848576069 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:38.864456892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:38.921185970 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:38.923226118 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:38.968767881 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041388035 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041408062 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041544914 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041564941 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041728973 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041740894 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041759014 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041768074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041841984 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.041882992 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.042009115 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.042022943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.042088985 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.042098999 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043216944 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043227911 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043320894 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043330908 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043387890 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043401003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043447018 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043488979 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043556929 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.043566942 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.505678892 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:39.625699043 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.884104967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:39.983717918 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:39.990143061 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.105015993 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105055094 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105077028 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105086088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105134010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105184078 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105194092 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105587006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105597973 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105680943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105690956 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105766058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105819941 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.105829954 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.110805988 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.110814095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.110903025 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.110954046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.111079931 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.111088991 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.111263990 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.111285925 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.111299038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.111370087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.130244017 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.343611956 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.372196913 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.386663914 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.506671906 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.506742954 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.516201019 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.626791000 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.636332035 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.894757032 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.906517029 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.906610966 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.906625986 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.906673908 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.906857967 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.906872988 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.906917095 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.907098055 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.907111883 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.907124043 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.907150030 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.907179117 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.915131092 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.915222883 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.915268898 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.923449039 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.923518896 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:40.923578024 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.972120047 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:40.976349115 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.092185974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092262983 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092304945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092514992 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092539072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092673063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092690945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092756987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092809916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092962980 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.092973948 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.093054056 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.093064070 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.093137026 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096530914 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096541882 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096632004 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096642971 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096745968 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096756935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096816063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096828938 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096879959 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.096975088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.107331991 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.107494116 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.107588053 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.109848022 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.109972954 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.110223055 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.114407063 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.114515066 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.114629030 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.122464895 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.122539997 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.122699022 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.130409002 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.130551100 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.130645990 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.138412952 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.138494968 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.138691902 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.146384001 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.146514893 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.146619081 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.154474974 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.154577971 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.154875994 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.162431955 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.162563086 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.162620068 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.170459986 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.170584917 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.170682907 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.178481102 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.178596020 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.178667068 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.186453104 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.186506033 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.186760902 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.227642059 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.227654934 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.228331089 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.308474064 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.308576107 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.308660984 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.311837912 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.311917067 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.312069893 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.317214966 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.319300890 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.319386959 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.319400072 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.325397015 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.325493097 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.325495958 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.331185102 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.331229925 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.331257105 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.336781025 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.336860895 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.336900949 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.342645884 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.342714071 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.342714071 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.348380089 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.348489046 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.348557949 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.354348898 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.354368925 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.354477882 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.360172987 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.360260010 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.360279083 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.363624096 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.363732100 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.363991976 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.367202044 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.367311001 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.367347956 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.370671988 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.370754957 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.370774031 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.374243975 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.374456882 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.374481916 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.377779007 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.377952099 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.378083944 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.381325006 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.381431103 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.381459951 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.384790897 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.384902000 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.384984970 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.388258934 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.388318062 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.388371944 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.391978979 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.392157078 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.392183065 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.395447969 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.395556927 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.395741940 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.398946047 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.398961067 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.399061918 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.402417898 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.402575016 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.402602911 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.405848980 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.408474922 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.509665012 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.509701014 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.510196924 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.510477066 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.510617018 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.510759115 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.513614893 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.513712883 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.513900042 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.516787052 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.516845942 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.517009020 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.519857883 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.519947052 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.520118952 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.522900105 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.522927999 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.523036957 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.525789976 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.525866985 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.525962114 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.528665066 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.528717041 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.529062986 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.531420946 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.531541109 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.531812906 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.534172058 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.534286022 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.534738064 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.536905050 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.537003994 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.539710045 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.539783955 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.540324926 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.542386055 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.542458057 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.542561054 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.545126915 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.545224905 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.545692921 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.547859907 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.547980070 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.548026085 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.549464941 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.550612926 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.550678968 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.550775051 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.553364992 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.553484917 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.553600073 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.556108952 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.556207895 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.556301117 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.558960915 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.559149981 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.560421944 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.561609030 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.561733007 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.562012911 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.564327955 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.564485073 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.564587116 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.567078114 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.567188978 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.567472935 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.569884062 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.569982052 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.570063114 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.572628021 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.572741032 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.572877884 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.575294018 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.575432062 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.575797081 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.578197956 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.578285933 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.578386068 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.580785990 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.580976009 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.582766056 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.583518982 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.583614111 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.583812952 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.586366892 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.586472988 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.586561918 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.589029074 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.589170933 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.589231014 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.591744900 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.591804028 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.592324972 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.669456005 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.711091042 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.711105108 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.711241961 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.711740971 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.712138891 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.712223053 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.712682009 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.714366913 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.714523077 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.714545965 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.716463089 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.716593027 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.716681004 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.718605995 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.718708038 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.718755960 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.720700026 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.720792055 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.720820904 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.722774029 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.722889900 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.722918034 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.724899054 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.725070953 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.725171089 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.727026939 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.727124929 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.727169037 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.729120016 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.729192019 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.729325056 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.731240988 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.731307983 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.731708050 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.733259916 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.733345032 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.733371973 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.735382080 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.735483885 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.735625029 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.737498045 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.737720013 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.737788916 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.739571095 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.739686966 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.739916086 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.741906881 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.742041111 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.742059946 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.743741989 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.743856907 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.743940115 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.745836020 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.745974064 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.746102095 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.748044968 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.748111010 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.748418093 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.750106096 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.750200987 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.750231028 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.752170086 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.752294064 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.752434015 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.754283905 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.754425049 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.754549026 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.756408930 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.756547928 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.756577015 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.758465052 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.758553028 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.758816957 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.760827065 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.760839939 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.761032104 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.762643099 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.762754917 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.762784004 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.764771938 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.764997959 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.765110016 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.766848087 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.766921997 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.766989946 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.768986940 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.769043922 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.769073963 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.771039963 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.771141052 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.771275997 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.773143053 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.773251057 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.773286104 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.775218964 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.775341034 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.775343895 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.777353048 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.777461052 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.777573109 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.779433012 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.779524088 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.779660940 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.781550884 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.781620026 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.781647921 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.783689976 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.783957005 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.784131050 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.785840034 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.785852909 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.785973072 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.787841082 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.787966967 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.787992001 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.789930105 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.790045977 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.790075064 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.792063951 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.792150021 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.792388916 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.794106007 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.794225931 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.794260025 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.796197891 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.796367884 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.796408892 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.798316002 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.798433065 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.798579931 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.800409079 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.800468922 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.800544977 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.802536964 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.802628040 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.802656889 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.804615021 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.804713011 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.804886103 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.806706905 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.806782961 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.806889057 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.808830023 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.808923006 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.808950901 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.811126947 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.811203957 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.811247110 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.813194036 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.813294888 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.813309908 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.815237045 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.815325022 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.815359116 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.817207098 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.817368031 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.817395926 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.819367886 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.819451094 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.819453955 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.915954113 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.916026115 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.916081905 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.916774035 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.916832924 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.917040110 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.918490887 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.918574095 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.918579102 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.920241117 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.920322895 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.920394897 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.922027111 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.922044992 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.922127962 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.923578024 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.923686981 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.923700094 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.925265074 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.925354958 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.925395966 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.927064896 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.927160025 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.927170038 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.928525925 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.928647041 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.928672075 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.930145979 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.930255890 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.930255890 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.931725979 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.931821108 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.931859016 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.933309078 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.933423042 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.933433056 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.934864044 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.934952021 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.934993029 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.936476946 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.936587095 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.936602116 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.938020945 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.938110113 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.938131094 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.939531088 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.939619064 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.939661026 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.941183090 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.941236019 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.941252947 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.942599058 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.942648888 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.942697048 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.943643093 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.944108009 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.944152117 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.944200039 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.945611954 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.945660114 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.945709944 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.947134018 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.947184086 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.947267056 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.948615074 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.948664904 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.948741913 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.950117111 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.950297117 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.950329065 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.951704025 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.951759100 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.951798916 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.953088999 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.953161001 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.953196049 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.954612017 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.954664946 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.954735041 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.956121922 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.956167936 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.956222057 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.957657099 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.957707882 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.957734108 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.959184885 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.959223032 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.959280014 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.960643053 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.960685015 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.960704088 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.962140083 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.962224007 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.962271929 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.963691950 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.963761091 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.963778019 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.965125084 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.965236902 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.965255022 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.966629028 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.966710091 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.966790915 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.968194962 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.968260050 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.968274117 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.969703913 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.969750881 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.969822884 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.971168041 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.971225023 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.971263885 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.972640991 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.972682953 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.972728014 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.974154949 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.974200964 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.974256992 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.975692034 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.975759029 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.975848913 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.977163076 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.977231979 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.977287054 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.978751898 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.978805065 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.978866100 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.980220079 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.980240107 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.980269909 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.981652021 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.981698036 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.981756926 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.983196020 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.983247995 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.983280897 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.984671116 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.984723091 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.984790087 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.986262083 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.986319065 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.986381054 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.987689018 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.987740993 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.987802029 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.989188910 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.989238977 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.989269972 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.990987062 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.991038084 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.991086960 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.992209911 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.992335081 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.992371082 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.992947102 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.993702888 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.993748903 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.993781090 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.994926929 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.995187998 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.995263100 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:41.995291948 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.996654987 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:41.996706009 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.117532015 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117546082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117556095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117666960 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117676973 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117681026 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117808104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117816925 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117825985 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117835045 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117947102 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117957115 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117960930 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.117969990 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.118937016 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.119055033 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.119065046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.119074106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.119082928 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.119340897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.119350910 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.119488955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.119498968 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.119649887 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.120676041 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.120981932 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.121042967 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.121169090 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.121181965 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.121223927 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.122328043 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.122479916 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.122545004 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.122823000 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.122833967 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.122844934 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.122862101 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.122869015 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.122900963 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.123327971 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.123476028 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.123517990 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.124480963 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.124659061 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.124718904 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.125587940 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.125746012 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.125799894 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.127027988 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.127335072 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.127387047 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.127868891 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.128192902 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.128236055 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.129020929 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.129182100 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.129250050 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.130146980 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.130325079 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.130371094 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.131270885 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.131426096 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.131571054 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.132502079 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.132657051 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.132719994 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.133641958 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.133810997 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.133862019 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.134912014 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.135088921 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.135149956 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.136030912 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.136044979 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.136089087 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.137135029 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.137147903 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.137198925 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.138283968 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.138468981 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.138544083 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.139446020 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.139460087 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.139517069 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.140611887 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.140626907 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.140676975 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.141680002 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.141973019 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.142016888 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.142847061 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.143008947 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.143058062 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.144109011 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.144238949 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.144289017 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.145066977 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.145214081 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:42.145261049 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.698913097 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:42.818984032 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.090431929 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.197655916 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:43.200992107 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:43.318010092 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318025112 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318043947 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318053961 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318185091 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318196058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318300009 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318310022 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318387032 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318434000 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318496943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318507910 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318598986 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.318609953 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.321032047 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.321069956 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.321203947 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.321301937 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.321355104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.321430922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:43.800052881 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:43.920089960 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.184722900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.261178970 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:44.263181925 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:44.381145954 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381247997 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381302118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381392956 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381422997 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381503105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381573915 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381627083 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381666899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381763935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381772995 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381923914 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.381932974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.382134914 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.383109093 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.383222103 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.383510113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.383658886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:44.812901974 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:44.933295965 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.192089081 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.230678082 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:45.232219934 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:45.350819111 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.350856066 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.350938082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.350960970 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351008892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351092100 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351125002 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351150036 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351269007 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351277113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351317883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351346970 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351397991 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.351448059 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.352310896 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.352389097 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.352570057 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.352680922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.352791071 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.352904081 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:45.923782110 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:45.925968885 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:46.043747902 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046063900 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046099901 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046164989 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:46.046190977 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046200991 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046240091 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:46.046279907 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046288967 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046425104 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046473980 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046483040 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.046494961 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.167397022 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.167463064 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.167603016 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.167613029 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.167726994 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.167814970 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.168169975 CET255949923192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.168220997 CET499232559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:46.303416967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.362488985 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:46.364355087 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:46.483205080 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483238935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483279943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483340979 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483455896 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483568907 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483588934 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483601093 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483655930 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483665943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483716011 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483738899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483803988 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.483831882 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.484582901 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.484594107 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.484673023 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.484759092 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.484770060 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.484831095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:46.937752008 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:47.057648897 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.316623926 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.357180119 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:47.358684063 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:47.477277994 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477291107 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477387905 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477418900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477623940 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477655888 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477693081 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477804899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477824926 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477834940 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477895975 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477905035 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477936983 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.477960110 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.478856087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.478924036 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.479516029 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:47.953986883 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:48.074071884 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.399998903 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.515552998 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:48.800422907 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:48.802686930 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:48.920639038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.920659065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.920753002 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.920763016 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.920840979 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.920850992 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.920923948 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.920933008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.921000957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.921010017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.921216011 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.921226025 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.921242952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.921364069 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.924963951 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.924973011 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.924983978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.924993038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.925002098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.925012112 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:48.970413923 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:49.090322018 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.349750042 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.405458927 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:49.407752991 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:49.525583029 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.525650978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.525707960 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.525717974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.525789022 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.525842905 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.525923014 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.525932074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.526021957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.526031017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.526067019 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.526077032 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.526139975 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.526181936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.528060913 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.528069973 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.528152943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.528222084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.528332949 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.528420925 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:49.984770060 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:50.104893923 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.364185095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.406177044 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:50.421914101 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:50.424031019 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:50.542131901 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542248011 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542259932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542318106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542356968 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542499065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542509079 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542563915 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542599916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542701006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542722940 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542850971 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542912006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.542922974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.546967983 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.546978951 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.546988010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.546998024 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:50.547008038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.000905037 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:51.120913982 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.466182947 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.514030933 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:51.515497923 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:51.634090900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634118080 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634166956 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634192944 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634280920 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634290934 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634350061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634375095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634469986 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634495020 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634618998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634639978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634771109 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.634798050 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.635628939 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.635652065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.635782003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.635929108 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.636009932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:51.636075974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.015799046 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:52.135730028 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.394220114 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.446935892 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:52.448853016 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:52.567122936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567137003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567326069 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567348003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567495108 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567504883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567651987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567676067 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567763090 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567789078 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567910910 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.567934036 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.568095922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.568124056 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.569094896 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.569125891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.569273949 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.569331884 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.569394112 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:52.569478035 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.032735109 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:53.153235912 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.411889076 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.485032082 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:53.486556053 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:53.605249882 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605273008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605331898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605357885 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605403900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605426073 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605576992 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605587006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605664968 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605673075 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605731010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605739117 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605819941 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.605840921 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.609052896 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.609091043 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:53.609791040 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.047183990 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:54.168934107 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.427566051 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.487256050 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:54.488913059 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:54.607701063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.607714891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.607800961 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.607811928 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.607929945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.607939005 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.608047962 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.608057976 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.608160973 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.608170033 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.608213902 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.608267069 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.608422041 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.608439922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.608995914 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.609101057 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.609143972 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.609261990 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.609467983 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:54.609668970 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.021836996 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:55.141777992 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.455297947 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.515563965 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:55.632900000 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:55.635420084 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:55.753005028 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753072023 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753175020 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753185034 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753273010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753283024 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753397942 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753407955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753498077 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753506899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753571987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753626108 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753698111 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.753755093 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.755443096 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.755453110 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.755634069 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.755705118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.755839109 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.755917072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:55.969003916 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:56.088996887 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.367522001 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.406266928 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:56.407924891 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:56.526412964 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.526452065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.526539087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.526577950 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.526722908 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.526757002 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.526912928 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.526988029 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.527057886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.527100086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.527249098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.527260065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.527430058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.527534962 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.527997971 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.528009892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.528115988 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.528163910 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.528240919 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.528331995 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:56.875386000 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:56.995716095 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.254381895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.311225891 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:57.312733889 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:57.431375980 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.431404114 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.431502104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.431513071 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.431615114 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.431698084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.431834936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.431845903 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.431978941 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.431991100 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.432111025 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.432157040 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.432284117 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.432382107 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.432854891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.432903051 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.432976961 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.433094978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.433188915 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.433211088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:57.750633001 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:57.870824099 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.129867077 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.204411983 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:58.324431896 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:58.387943029 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:58.444587946 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.444715977 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.444740057 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.444839001 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.444854021 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.444905996 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.444935083 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.445018053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.445041895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.445139885 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.445235968 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.445246935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.445264101 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.445346117 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.507977009 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.508006096 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.508019924 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.508064032 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.508126974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.508205891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.612406969 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:58.732511997 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:58.996109009 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.076812029 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:59.080096006 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:59.197017908 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197035074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197062016 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197071075 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197130919 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197272062 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197288036 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197299004 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197382927 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197421074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197539091 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197549105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197644949 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.197678089 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.200335026 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.200355053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.200398922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.200472116 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.200505018 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.200598955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.437784910 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:59.557820082 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.620409012 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.621570110 CET497352559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:59.742234945 CET255949735192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.816397905 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.857474089 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:59.859054089 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:30:59.977740049 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.977767944 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.977889061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.977916956 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978038073 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978233099 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978241920 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978255033 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978354931 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978389978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978508949 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978533983 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978630066 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.978640079 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.979022026 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.979188919 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.979280949 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.979373932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.979485035 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:30:59.979568005 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.235430002 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:00.355649948 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.614453077 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.678904057 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:00.681338072 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:00.799170971 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799249887 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799268007 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799299002 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799340010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799379110 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799403906 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799454927 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799482107 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799535036 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799619913 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799629927 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799710035 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.799731970 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.801424980 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.801505089 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.801579952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.801680088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.801749945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:00.801978111 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.023068905 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:01.143177986 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.401906013 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.455811024 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:01.467782974 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:01.470168114 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:01.587934017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.587964058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588051081 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588061094 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588107109 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588116884 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588195086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588205099 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588352919 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588366032 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588376045 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588386059 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588547945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.588557005 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.590131044 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.590166092 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.590229034 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.590337992 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.590352058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.590383053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:01.766622066 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:01.887058973 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.145384073 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.203125000 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:02.206485033 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:02.208003044 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:02.329824924 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.329840899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.329849958 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.329955101 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.330106020 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.330113888 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.330117941 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.330415964 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.330425024 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.330434084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.330444098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.330454111 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.330462933 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.331156969 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.331304073 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.331319094 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.331448078 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.331456900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.331460953 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.331602097 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.485157013 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:02.605127096 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:02.946289062 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.000530958 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:03.002335072 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:03.121942997 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.121958017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122005939 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122023106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122128963 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122183084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122291088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122365952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122507095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122548103 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122627974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122695923 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.122929096 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.123126030 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.123135090 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.123142958 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.123338938 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.188693047 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:03.309484005 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.568041086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.703123093 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:03.791903973 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:03.837316036 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:03.890198946 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:03.912739992 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.912764072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.912826061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.912838936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.912982941 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.912995100 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.913127899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.913140059 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.913155079 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.913284063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.913419962 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.913438082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.913451910 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.913599968 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.959440947 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.959461927 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.959599018 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.959667921 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.959728956 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:03.959820032 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.010893106 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.273989916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.327466965 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:04.329313040 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:04.447524071 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.447547913 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.447648048 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.447686911 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.447815895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.447861910 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.447942019 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.448018074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.448152065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.448160887 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.448282003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.448291063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.448554039 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.448564053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.449256897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.449408054 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.449419975 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.449498892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.449608088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.449666023 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.547157049 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:04.667113066 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.925748110 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:04.991276979 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:04.993019104 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:05.111630917 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.111644983 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.111696005 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.111777067 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.111785889 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.111795902 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.111937046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.111946106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.112061024 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.112068892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.112154007 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.112163067 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.112279892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.112314939 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.113099098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.113152981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.113231897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.113287926 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.113332987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.113374949 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.172223091 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:05.292238951 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.551359892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.591460943 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:05.593008041 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:05.712944031 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.713084936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.713207006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.713215113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.713346004 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.713355064 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.713362932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714488029 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714497089 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714618921 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714627028 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714636087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714734077 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714742899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714750051 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714756966 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714765072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714771032 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.714889050 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.715059996 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:05.781596899 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:05.901586056 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.171205997 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.257242918 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:06.259536982 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:06.377590895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.377799034 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.377809048 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.377816916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.377852917 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.377870083 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.378129005 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.378139973 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.378281116 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.378290892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.378393888 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.378451109 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.378556967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.378566027 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.379709005 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.379767895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.379879951 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.379936934 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.380089998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.380100012 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.472935915 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:06.593359947 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.851768970 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:06.908813953 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:06.911355972 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:07.028974056 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.028987885 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029069901 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029078960 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029100895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029139996 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029251099 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029268026 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029372931 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029412031 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029534101 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029555082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029607058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.029634953 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.031438112 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.031488895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.031577110 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.031714916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.031724930 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.031748056 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.047300100 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:07.167697906 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.427021980 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.487560034 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:07.489160061 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:07.594165087 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:07.607897043 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.607930899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608083010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608145952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608289957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608306885 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608402967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608421087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608515978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608539104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608620882 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608669043 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608716965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.608726978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.609230042 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.609240055 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.609287977 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.609460115 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.609548092 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.609746933 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.715775013 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:07.977972984 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.017786980 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:08.019324064 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:08.126621962 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:08.138441086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.138462067 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.138561964 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.138580084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.138684034 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.138706923 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.138833046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.138887882 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139070988 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139081955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139092922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139180899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139234066 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139288902 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139353991 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139398098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139491081 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139540911 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139579058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.139674902 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.246731043 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.517654896 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.561244965 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:08.562902927 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:08.641037941 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:08.681463003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681493998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681643009 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681653976 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681663990 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681730986 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681817055 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681827068 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681966066 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681974888 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.681983948 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.682079077 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.682087898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.682117939 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.682936907 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.682975054 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.683074951 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.683190107 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.683331966 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.683417082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:08.761018991 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.022958040 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.066844940 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:09.068905115 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:09.141469955 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:09.186973095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187007904 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187063932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187115908 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187211037 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187220097 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187283993 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187293053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187338114 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187446117 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187455893 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187555075 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187565088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.187572956 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.189141035 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.189166069 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.189389944 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.189446926 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.189543962 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.189553976 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.261425972 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.526968002 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.577238083 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:09.579019070 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:09.625602961 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:09.697421074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697439909 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697536945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697599888 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697705030 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697762966 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697772026 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697846889 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697855949 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697864056 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697963953 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.697973013 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.698086023 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.698103905 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.698967934 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.699019909 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.699218035 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.699285984 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.699336052 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.699408054 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:09.745556116 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.006036997 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.061429977 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:10.063558102 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:10.094043016 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:10.181579113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.181607962 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.181725979 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.181735992 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.181802034 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.181819916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.181926966 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.181967974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.182090044 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.182168961 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.182307005 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.182317019 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.182354927 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.182468891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.183712959 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.183722019 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.183784008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.183861017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.183958054 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.183975935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.214056969 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.473185062 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.515665054 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:10.521084070 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:10.522777081 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:10.548069954 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:10.641381025 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641401052 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641412020 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641433954 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641443968 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641454935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641557932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641570091 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641674042 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641702890 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641769886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641819000 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641869068 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.641943932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.643009901 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.643162966 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.643172979 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.643184900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.652278900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.668375969 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.927455902 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:10.973521948 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:10.975080967 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:10.984857082 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:11.094886065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.094904900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.094933033 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.094943047 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.094954014 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.094963074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095062017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095071077 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095155001 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095164061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095213890 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095227957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095387936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095396996 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095407963 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095562935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095594883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095653057 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095688105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.095696926 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.105184078 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.364943981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.414386988 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:11.419297934 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:11.421145916 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:11.534549952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.534595013 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.534612894 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.534625053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.534779072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.534789085 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.534853935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.534878016 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.534931898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.534997940 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.535007954 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.535016060 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.535130978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.535140038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.539865017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.539875031 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.539882898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.540024996 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.540034056 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.540043116 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.541918993 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.799530983 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.829181910 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:11.861500025 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:11.863270998 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:11.949184895 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.981543064 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.981666088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.981676102 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.981710911 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.981795073 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.981899977 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.981910944 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.981992960 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.982002974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.982070923 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.982080936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.982151985 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.982161999 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.982222080 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.983283043 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.983298063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.983469963 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.983555079 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.983624935 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:11.983669996 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.210196972 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.219217062 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:12.254087925 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:12.256438971 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:12.339335918 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374277115 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374340057 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374358892 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374366999 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374432087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374440908 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374524117 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374532938 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374636889 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374646902 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374715090 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374726057 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374802113 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.374810934 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.376727104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.376740932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.376862049 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.376914978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.376924038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.376956940 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.596513033 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:12.598072052 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.697545052 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:12.699379921 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:12.716658115 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.817804098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.817845106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.817854881 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.817863941 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.817953110 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.817971945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.818119049 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.818129063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.818145990 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.818155050 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.818187952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.818239927 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.818279028 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.818312883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.819411039 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.819438934 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.819511890 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.819653988 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.819663048 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.819709063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:12.969499111 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:12.975068092 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.015717983 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:13.030575037 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:13.032428980 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:13.089951038 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.150810003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.150873899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.150974989 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.150985003 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.151070118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.151160955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.151171923 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.152442932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.152498007 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.152578115 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.152657986 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.152744055 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.328856945 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:13.348344088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.389209032 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:13.390744925 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:13.448955059 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.509556055 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.509711981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.509752035 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.509829998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.509840965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.510905981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.511034966 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.511255026 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.672547102 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:13.707222939 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.753061056 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:13.754636049 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:13.793194056 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.874695063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.875098944 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.875379086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.875828981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.875991106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.876156092 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.876166105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.876444101 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.876621008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.876631021 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:13.876641989 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.000730991 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:14.051829100 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.120973110 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.203167915 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:14.379498005 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.491338968 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:14.494373083 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:14.611545086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611566067 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611648083 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611658096 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611737013 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611756086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611810923 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611820936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611911058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611920118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611965895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.611974955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.612107038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.612118006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.614464045 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.614588976 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.614619970 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.614789963 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.614933968 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.614943981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.652055025 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:14.689434052 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:14.691756010 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:14.772159100 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.809741974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.809784889 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.809909105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.810018063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.811927080 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.812064886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.812175035 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.812277079 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.812330961 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:14.969209909 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.030853987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.079755068 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.082201004 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.089216948 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.200141907 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.200196028 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.200237036 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.200330973 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.200407028 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.200469017 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.200486898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.202263117 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.202310085 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.202388048 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.202630043 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.266067028 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.347717047 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.386106968 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.389626026 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.391077042 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.509840012 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.509866953 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.510011911 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.510122061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.510202885 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.510211945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.510292053 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.511070967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.511141062 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.511243105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.511287928 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.511349916 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.563528061 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.653682947 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.683581114 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.706434965 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.708354950 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.828485966 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.828557014 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.828641891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.828767061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.844279051 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.942178011 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.964317083 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:15.987984896 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:15.989682913 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.108274937 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.108517885 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.108527899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.108539104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.108582973 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.108638048 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.108726025 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.110009909 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.110071898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.110132933 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.125436068 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.222938061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.245397091 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.263778925 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.265425920 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.384042978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.384057045 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.384102106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.384181023 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.384192944 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.384232998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.384278059 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.385416985 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.385524988 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.385585070 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.385636091 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.385715008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.391107082 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.503777027 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.512175083 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.546272993 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.547943115 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.641067028 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.666465998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.666554928 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.666601896 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.666699886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.666743994 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.666837931 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.666860104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.668183088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.668277025 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.668426037 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.668529034 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.668627977 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.761291981 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.772813082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.812557936 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.821055889 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.822724104 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.891196966 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:16.941438913 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.941504002 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.941549063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.941663027 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.941698074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.941832066 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.941864967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.942938089 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.943078995 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.943119049 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.943157911 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:16.943263054 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.011379004 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.019402981 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.068312883 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.070219994 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.136291981 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.188513041 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.188644886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.188657999 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.188741922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.188787937 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.188879013 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.188889027 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.190243006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.190380096 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.190426111 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.190542936 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.190552950 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.256334066 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.269599915 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.310750961 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.312315941 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.375514984 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.431372881 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.431402922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.431557894 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.431711912 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.431823969 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.432005882 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.432046890 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.432543993 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.432600975 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.432779074 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.432873011 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.432950974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.495567083 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.515615940 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.561243057 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.562877893 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.595880985 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.682444096 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.682655096 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.682796955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.682807922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.682924986 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.682965040 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.684046030 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.684205055 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.684216022 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.684360027 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.684370041 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.716315985 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.754383087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.799854994 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.801460981 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.817172050 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:17.920169115 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.920228958 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.920311928 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.920391083 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.920443058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.920536041 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.920598984 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.921674967 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.921799898 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.921922922 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.922023058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.922055960 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.937119961 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:17.974361897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.014363050 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.016037941 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.031850100 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.134823084 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.134917021 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.134994030 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.135133028 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.135143995 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.135245085 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.135278940 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.136130095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.136181116 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.136322975 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.136341095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.136394978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.151751041 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.195517063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.235415936 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.252034903 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.253839970 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.355494022 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.372200012 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.372299910 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.372351885 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.372447014 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.372541904 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.372595072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.372631073 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.374012947 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.374068022 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.374151945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.374203920 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.374222040 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.435081959 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.442027092 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.504112005 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.505947113 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.562047958 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.615962029 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.625418901 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.625731945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.625762939 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.625991106 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.626002073 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.626071930 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.626154900 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.626199961 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.626288891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.626327038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.641865969 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.673136950 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.674968004 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.762098074 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.793255091 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.794060946 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.794997931 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.795067072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.795120955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.795255899 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.795267105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.821157932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:18.829376936 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.890309095 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.892633915 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:18.949353933 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.010607004 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.010793924 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.010950089 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.011085987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.011235952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.011398077 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.011415958 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.012753010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.012881994 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.013008118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.013159990 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.013259888 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.026110888 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.042551994 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.162703991 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.185935020 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.197726965 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.212048054 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.306118965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.306154013 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.306221962 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.306282043 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.306338072 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.306405067 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.306451082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.312555075 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.403147936 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.412877083 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.426136971 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.426162004 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.426171064 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.426179886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.426228046 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.547945023 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.547996044 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.548005104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.548018932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.548027992 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.548037052 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.548046112 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.548053980 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.595375061 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.612554073 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.614054918 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.715477943 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.734291077 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.734390974 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.734543085 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.734551907 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.734678030 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.734687090 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.735843897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.735975027 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.735984087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.735991955 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.765997887 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.885998964 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:19.929234028 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:19.974069118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.015675068 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.037992954 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.039733887 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.049290895 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.094114065 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.158118010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158134937 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158155918 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158188105 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158284903 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158310890 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158364058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158420086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158513069 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158533096 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158670902 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158683062 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158723116 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.158741951 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.159672022 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.159825087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.159965038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.159975052 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.160082102 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.160090923 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.175338030 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.214261055 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.223494053 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.225653887 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.250368118 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.343689919 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.343791008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.343801022 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.343888998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.343954086 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.344002962 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.345664978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.345751047 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.345845938 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.345925093 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.346023083 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.359446049 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.370383024 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.391628027 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.423010111 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.424592972 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.511678934 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.531918049 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.543270111 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.543346882 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.543358088 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.543452024 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.543492079 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.544625998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.544739008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.544749022 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.544817924 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.544878006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.544888020 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.637909889 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.639414072 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.652127028 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.672516108 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.744436979 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.758713007 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.758737087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.758867979 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.758877039 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.759021997 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.759031057 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.759035110 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.760430098 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.760451078 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.760586023 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.760596991 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.760720968 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.771656036 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.774563074 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.792757034 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.796248913 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.797967911 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.840061903 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.843184948 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.844888926 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:20.916536093 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.916632891 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.916722059 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.916754007 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.916816950 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.916940928 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.917074919 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.917963028 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.918076038 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.918149948 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.918257952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.918267965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.959647894 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.959959030 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.963346958 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.963402987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.963455915 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.963490963 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.963620901 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.963650942 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.963659048 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.964957952 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.965053082 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.965167999 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.965327978 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.965373993 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:20.969119072 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.015558958 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.017272949 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.089060068 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.094238997 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.118630886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.118740082 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.135685921 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.135699987 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.135826111 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.135834932 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.135869026 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.135930061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.136046886 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.137324095 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.137334108 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.137490034 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.137499094 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.138008118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.153373957 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.154885054 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.214673996 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.219285011 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.273674965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.273739100 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.273765087 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.273905039 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.273956060 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.274065018 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.274075031 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.274971008 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.275018930 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.275125980 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.275361061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.275369883 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.337964058 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.339339018 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.344633102 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.351372957 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.352545977 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.373742104 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.375350952 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.423554897 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.425355911 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.464704990 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.464750051 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.474950075 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.494285107 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.494396925 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.494406939 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.494415045 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.494566917 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.494575977 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.494609118 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.496179104 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.496342897 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.496351004 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.496357918 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.496503115 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.516901970 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.518516064 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.546084881 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.546109915 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.546207905 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.546216965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.546305895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.546391010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.546399117 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.547858953 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.547971010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.547996044 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.548150063 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.548160076 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.585692883 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.585767031 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.637021065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.637144089 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.637299061 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.637408972 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.637418985 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.637599945 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.637609959 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.638561010 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.638659954 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.638822079 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.638932943 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.639020920 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.695709944 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.706269979 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.708530903 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.726417065 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.726541042 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.772396088 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.775480986 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.828653097 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.828726053 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.845407009 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.892570019 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.892652988 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.892765999 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.892951965 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.892961979 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.893040895 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.893110991 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.895673037 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.895726919 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.895800114 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:21.906301022 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:21.949259043 CET255949879192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:22.094316006 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:22.153755903 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:22.291806936 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:22.299762011 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:22.302581072 CET498792559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:22.348628998 CET255949881192.3.64.152192.168.2.4
                                                                                                                                                                          Dec 3, 2024 14:31:22.364238977 CET498812559192.168.2.4192.3.64.152
                                                                                                                                                                          Dec 3, 2024 14:31:22.365813971 CET498812559192.168.2.4192.3.64.152

                                                                                                                                                                          DNS Queries

                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Dec 3, 2024 14:28:26.525528908 CET192.168.2.41.1.1.10x9e89Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                          DNS Answers

                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Dec 3, 2024 14:28:26.770512104 CET1.1.1.1192.168.2.40x9e89No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                          HTTP Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.449736178.237.33.50807608C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Dec 3, 2024 14:28:26.900859118 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                          Host: geoplugin.net
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Dec 3, 2024 14:28:28.203247070 CET1171INHTTP/1.1 200 OK
                                                                                                                                                                          date: Tue, 03 Dec 2024 13:28:27 GMT
                                                                                                                                                                          server: Apache
                                                                                                                                                                          content-length: 963
                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                          cache-control: public, max-age=300
                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                                                                          Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.45002552.182.143.2124438C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-03 13:31:50 UTC178OUTPOST /Telemetry.Request HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          User-Agent: MSDW
                                                                                                                                                                          MSA_DeviceTicket_Error: 0x80004004
                                                                                                                                                                          Content-Length: 4656
                                                                                                                                                                          Host: umwatson.events.data.microsoft.com


                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:08:28:12
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"
                                                                                                                                                                          Imagebase:0x440000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1733178302.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:08:28:15
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"
                                                                                                                                                                          Imagebase:0xf90000
                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:3
                                                                                                                                                                          Start time:08:28:15
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:4
                                                                                                                                                                          Start time:08:28:15
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"
                                                                                                                                                                          Imagebase:0xf90000
                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:08:28:16
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:6
                                                                                                                                                                          Start time:08:28:16
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp4D69.tmp"
                                                                                                                                                                          Imagebase:0x9a0000
                                                                                                                                                                          File size:187'904 bytes
                                                                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:7
                                                                                                                                                                          Start time:08:28:16
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:8
                                                                                                                                                                          Start time:08:28:16
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe"
                                                                                                                                                                          Imagebase:0x5d0000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1708551400.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:9
                                                                                                                                                                          Start time:08:28:16
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"c:\program files (x86)\internet explorer\iexplore.exe"
                                                                                                                                                                          Imagebase:0x1b0000
                                                                                                                                                                          File size:828'368 bytes
                                                                                                                                                                          MD5 hash:6F0F06D6AB125A99E43335427066A4A1
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:10
                                                                                                                                                                          Start time:08:28:17
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Imagebase:0xb00000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1800846184.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                          • Detection: 50%, ReversingLabs
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:11
                                                                                                                                                                          Start time:08:28:18
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                          Imagebase:0x7ff693ab0000
                                                                                                                                                                          File size:496'640 bytes
                                                                                                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:12
                                                                                                                                                                          Start time:08:28:23
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNJBFdvJTXAE" /XML "C:\Users\user\AppData\Local\Temp\tmp6853.tmp"
                                                                                                                                                                          Imagebase:0x9a0000
                                                                                                                                                                          File size:187'904 bytes
                                                                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:13
                                                                                                                                                                          Start time:08:28:23
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:14
                                                                                                                                                                          Start time:08:28:23
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe"
                                                                                                                                                                          Imagebase:0x720000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.3843932819.000000000298F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.3843351596.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.3843167341.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:18
                                                                                                                                                                          Start time:08:28:49
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn"
                                                                                                                                                                          Imagebase:0x120000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:19
                                                                                                                                                                          Start time:08:28:49
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ookoxwnotn"
                                                                                                                                                                          Imagebase:0xc10000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:20
                                                                                                                                                                          Start time:08:28:49
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\yqpgyoyihvmyd"
                                                                                                                                                                          Imagebase:0xb50000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:21
                                                                                                                                                                          Start time:08:28:49
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\bkvrzhjjvdednbzxp"
                                                                                                                                                                          Imagebase:0x580000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:23
                                                                                                                                                                          Start time:08:30:41
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\tplymmqtvomskscmxqb"
                                                                                                                                                                          Imagebase:0x4a0000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:24
                                                                                                                                                                          Start time:08:30:41
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\sebqkwyzlxhlsxrpokduuzlb"
                                                                                                                                                                          Imagebase:0x690000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:25
                                                                                                                                                                          Start time:08:30:41
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv"
                                                                                                                                                                          Imagebase:0x200000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:26
                                                                                                                                                                          Start time:08:30:41
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe /stext "C:\Users\user\AppData\Local\Temp\ygwmbdfwylwnradbutfvogorbukvxjv"
                                                                                                                                                                          Imagebase:0xfc0000
                                                                                                                                                                          File size:1'026'560 bytes
                                                                                                                                                                          MD5 hash:2E69C1A7D2A987F925AAAD945C2CE2B2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:29
                                                                                                                                                                          Start time:08:31:26
                                                                                                                                                                          Start date:03/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 1964
                                                                                                                                                                          Imagebase:0x3b0000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:12.5%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:203
                                                                                                                                                                            Total number of Limit Nodes:10
                                                                                                                                                                            execution_graph 32740 4e17791 32741 4e177a4 32740->32741 32742 4e17802 32741->32742 32743 4e178ac 32741->32743 32745 4e1785a CallWindowProcW 32742->32745 32746 4e17809 32742->32746 32744 4e131dc CallWindowProcW 32743->32744 32744->32746 32745->32746 32502 4e13460 32504 4e13591 32502->32504 32505 4e13491 32502->32505 32503 4e1349d 32505->32503 32508 4e142a7 32505->32508 32513 4e142b8 32505->32513 32509 4e142e3 32508->32509 32510 4e14392 32509->32510 32518 4e1519b 32509->32518 32525 4e151a0 32509->32525 32514 4e142e3 32513->32514 32515 4e14392 32514->32515 32516 4e151a0 CreateWindowExW 32514->32516 32517 4e1519b 2 API calls 32514->32517 32516->32515 32517->32515 32519 4e151a9 32518->32519 32522 4e151dd CreateWindowExW 32518->32522 32520 4e151d5 32519->32520 32528 4e131b0 32519->32528 32520->32510 32524 4e15314 32522->32524 32526 4e131b0 CreateWindowExW 32525->32526 32527 4e151d5 32526->32527 32527->32510 32529 4e151f0 CreateWindowExW 32528->32529 32531 4e15314 32529->32531 32531->32531 32532 913b812 32533 913b6b4 32532->32533 32534 913ba1c 32533->32534 32538 913e700 32533->32538 32554 913e766 32533->32554 32571 913e6f0 32533->32571 32539 913e71a 32538->32539 32540 913e722 32539->32540 32587 913ec9a 32539->32587 32591 913ed16 32539->32591 32595 913f071 32539->32595 32600 913eb53 32539->32600 32608 913ecec 32539->32608 32613 913f38e 32539->32613 32617 913ee0e 32539->32617 32622 913ee89 32539->32622 32626 913ee06 32539->32626 32631 913ed18 32539->32631 32635 913ee39 32539->32635 32639 913ef79 32539->32639 32643 913ee99 32539->32643 32540->32534 32555 913e769 32554->32555 32556 913e6f4 32554->32556 32557 913e722 32556->32557 32558 913eb53 4 API calls 32556->32558 32559 913f071 2 API calls 32556->32559 32560 913ed16 2 API calls 32556->32560 32561 913ec9a 2 API calls 32556->32561 32562 913ee99 2 API calls 32556->32562 32563 913ef79 2 API calls 32556->32563 32564 913ee39 2 API calls 32556->32564 32565 913ed18 2 API calls 32556->32565 32566 913ee06 2 API calls 32556->32566 32567 913ee89 2 API calls 32556->32567 32568 913ee0e 2 API calls 32556->32568 32569 913f38e 2 API calls 32556->32569 32570 913ecec 2 API calls 32556->32570 32557->32534 32558->32557 32559->32557 32560->32557 32561->32557 32562->32557 32563->32557 32564->32557 32565->32557 32566->32557 32567->32557 32568->32557 32569->32557 32570->32557 32572 913e6f4 32571->32572 32573 913eb53 4 API calls 32572->32573 32574 913f071 2 API calls 32572->32574 32575 913ed16 2 API calls 32572->32575 32576 913ec9a 2 API calls 32572->32576 32577 913ee99 2 API calls 32572->32577 32578 913ef79 2 API calls 32572->32578 32579 913ee39 2 API calls 32572->32579 32580 913ed18 2 API calls 32572->32580 32581 913e722 32572->32581 32582 913ee06 2 API calls 32572->32582 32583 913ee89 2 API calls 32572->32583 32584 913ee0e 2 API calls 32572->32584 32585 913f38e 2 API calls 32572->32585 32586 913ecec 2 API calls 32572->32586 32573->32581 32574->32581 32575->32581 32576->32581 32577->32581 32578->32581 32579->32581 32580->32581 32581->32534 32582->32581 32583->32581 32584->32581 32585->32581 32586->32581 32648 913ae70 32587->32648 32652 913ae78 32587->32652 32588 913ec99 32588->32587 32592 913ec99 32591->32592 32592->32591 32593 913ae70 Wow64SetThreadContext 32592->32593 32594 913ae78 Wow64SetThreadContext 32592->32594 32593->32592 32594->32592 32596 913f353 32595->32596 32656 913b010 32596->32656 32660 913b009 32596->32660 32597 913eb3a 32597->32540 32604 913ae70 Wow64SetThreadContext 32600->32604 32605 913ae78 Wow64SetThreadContext 32600->32605 32601 913eb6d 32602 913eb3a 32601->32602 32664 913adc1 32601->32664 32668 913adc8 32601->32668 32602->32540 32603 913ebb3 32603->32540 32604->32601 32605->32601 32609 913ed05 32608->32609 32611 913adc1 ResumeThread 32609->32611 32612 913adc8 ResumeThread 32609->32612 32610 913ebb3 32610->32540 32611->32610 32612->32610 32614 913f2b1 32613->32614 32672 913af50 32614->32672 32676 913af49 32614->32676 32618 913ee14 32617->32618 32620 913adc1 ResumeThread 32618->32620 32621 913adc8 ResumeThread 32618->32621 32619 913ebb3 32619->32540 32620->32619 32621->32619 32623 913ed2f 32622->32623 32624 913af50 VirtualAllocEx 32623->32624 32625 913af49 VirtualAllocEx 32623->32625 32624->32623 32625->32623 32627 913ee4b 32626->32627 32680 913b100 32627->32680 32684 913b0f8 32627->32684 32628 913ee6d 32632 913ed1e 32631->32632 32633 913af50 VirtualAllocEx 32632->32633 32634 913af49 VirtualAllocEx 32632->32634 32633->32632 32634->32632 32636 913ee6d 32635->32636 32637 913b100 ReadProcessMemory 32635->32637 32638 913b0f8 ReadProcessMemory 32635->32638 32637->32636 32638->32636 32641 913b010 WriteProcessMemory 32639->32641 32642 913b009 WriteProcessMemory 32639->32642 32640 913efa7 32641->32640 32642->32640 32644 913f064 32643->32644 32646 913b010 WriteProcessMemory 32644->32646 32647 913b009 WriteProcessMemory 32644->32647 32645 913eb3a 32645->32540 32646->32645 32647->32645 32649 913aebd Wow64SetThreadContext 32648->32649 32651 913af05 32649->32651 32651->32588 32653 913aebd Wow64SetThreadContext 32652->32653 32655 913af05 32653->32655 32655->32588 32657 913b058 WriteProcessMemory 32656->32657 32659 913b0af 32657->32659 32659->32597 32661 913b058 WriteProcessMemory 32660->32661 32663 913b0af 32661->32663 32663->32597 32665 913ae08 ResumeThread 32664->32665 32667 913ae39 32665->32667 32667->32603 32669 913ae08 ResumeThread 32668->32669 32671 913ae39 32669->32671 32671->32603 32673 913af90 VirtualAllocEx 32672->32673 32675 913afcd 32673->32675 32675->32614 32677 913af90 VirtualAllocEx 32676->32677 32679 913afcd 32677->32679 32679->32614 32681 913b14b ReadProcessMemory 32680->32681 32683 913b18f 32681->32683 32683->32628 32685 913b14b ReadProcessMemory 32684->32685 32687 913b18f 32685->32687 32687->32628 32688 913f890 32689 913fa1b 32688->32689 32691 913f8b6 32688->32691 32691->32689 32692 913c14c 32691->32692 32693 913fb10 PostMessageW 32692->32693 32694 913fb7c 32693->32694 32694->32691 32747 c77770 32749 c7777b 32747->32749 32750 c77cb1 32747->32750 32751 c77cd5 32750->32751 32755 c77db1 32751->32755 32759 c77dc0 32751->32759 32756 c77de7 32755->32756 32758 c77ec4 32756->32758 32763 c779d4 32756->32763 32761 c77de7 32759->32761 32760 c77ec4 32760->32760 32761->32760 32762 c779d4 CreateActCtxA 32761->32762 32762->32760 32764 c78e50 CreateActCtxA 32763->32764 32766 c78f13 32764->32766 32766->32766 32695 913b6db 32696 913b6b4 32695->32696 32697 913ba1c 32696->32697 32698 913e700 10 API calls 32696->32698 32699 913e6f0 10 API calls 32696->32699 32700 913e766 10 API calls 32696->32700 32698->32697 32699->32697 32700->32697 32701 913b298 32702 913b321 32701->32702 32702->32702 32703 913b486 CreateProcessA 32702->32703 32704 913b4e3 32703->32704 32704->32704 32711 c2d01c 32712 c2d034 32711->32712 32713 c2d08e 32712->32713 32718 4e15397 32712->32718 32722 4e131dc 32712->32722 32726 4e153a8 32712->32726 32730 4e16109 32712->32730 32719 4e153ce 32718->32719 32720 4e131dc CallWindowProcW 32719->32720 32721 4e153ef 32720->32721 32721->32713 32724 4e131e7 32722->32724 32725 4e16169 32724->32725 32734 4e13304 CallWindowProcW 32724->32734 32727 4e153ce 32726->32727 32728 4e131dc CallWindowProcW 32727->32728 32729 4e153ef 32728->32729 32729->32713 32732 4e16145 32730->32732 32733 4e16169 32732->32733 32735 4e13304 CallWindowProcW 32732->32735 32734->32725 32735->32733 32736 c7e7d8 32737 c7e820 GetModuleHandleW 32736->32737 32738 c7e81a 32736->32738 32739 c7e84d 32737->32739 32738->32737

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 00C70F08 Relevance: 3.9, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 526 c70f08-c70f70 call c700e4 533 c70f76 526->533 534 c70f7b-c70f90 533->534 535 c70f96 534->535 536 c7104a-c7108c call c700f4 534->536 535->533 535->536 537 c70fe7-c70ff2 535->537 538 c70fb6-c70fd1 535->538 539 c70ff4-c7101e 535->539 540 c71034-c71037 535->540 541 c71023-c7102f 535->541 542 c70fd3-c70fe5 535->542 543 c70f9d-c70fb4 535->543 556 c7108e call c71941 536->556 557 c7108e call c71acd 536->557 558 c7108e call c71c8c 536->558 559 c7108e call c720c8 536->559 537->534 538->534 539->534 544 c71040 540->544 545 c71039-c7103e 540->545 541->534 542->534 543->534 549 c71045 544->549 545->549 549->534 555 c71094-c7109d 556->555 557->555 558->555 559->555
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: J.lm$Te^q$Te^q
                                                                                                                                                                            • API String ID: 0-3257569621
                                                                                                                                                                            • Opcode ID: da1a646524519c8d446f60f9651c41163c5d6814570c413f83383d22a98e1b2d
                                                                                                                                                                            • Instruction ID: b56725ac653d084c9bab3b4f5f2e6e7fd677419c6ce649d3a8fb265ced213c3b
                                                                                                                                                                            • Opcode Fuzzy Hash: da1a646524519c8d446f60f9651c41163c5d6814570c413f83383d22a98e1b2d
                                                                                                                                                                            • Instruction Fuzzy Hash: 0341A474B00155CFCB04DFE9C89477EBAB6BF89700F20851AE50AEB3A0CA749D059B91
                                                                                                                                                                            Function 00C70F10 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 560 c70f10-c70f70 call c700e4 567 c70f76 560->567 568 c70f7b-c70f90 567->568 569 c70f96 568->569 570 c7104a-c7108c call c700f4 568->570 569->567 569->570 571 c70fe7-c70ff2 569->571 572 c70fb6-c70fd1 569->572 573 c70ff4-c7101e 569->573 574 c71034-c71037 569->574 575 c71023-c7102f 569->575 576 c70fd3-c70fe5 569->576 577 c70f9d-c70fb4 569->577 590 c7108e call c71941 570->590 591 c7108e call c71acd 570->591 592 c7108e call c71c8c 570->592 593 c7108e call c720c8 570->593 571->568 572->568 573->568 578 c71040 574->578 579 c71039-c7103e 574->579 575->568 576->568 577->568 583 c71045 578->583 579->583 583->568 589 c71094-c7109d 590->589 591->589 592->589 593->589
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: J.lm$Te^q$Te^q
                                                                                                                                                                            • API String ID: 0-3257569621
                                                                                                                                                                            • Opcode ID: d7f19f0e771d7e81b43b5b4fc3df88cf8024cac91c5143ba96e61c7426ecf40e
                                                                                                                                                                            • Instruction ID: 29c800669ecb74f0c5eabb37db4dda2ba95bd28476d32c0580bbc411d18ce32f
                                                                                                                                                                            • Opcode Fuzzy Hash: d7f19f0e771d7e81b43b5b4fc3df88cf8024cac91c5143ba96e61c7426ecf40e
                                                                                                                                                                            • Instruction Fuzzy Hash: CB41A474B10155CFCB04DFE9C89477EBAF6BF99700F20842AE50AEB3A0CA749D019B91
                                                                                                                                                                            Function 00C722C0 Relevance: 2.7, Strings: 2, Instructions: 206COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 616 c722c0-c722d8 617 c722e0 616->617 618 c722e5-c722fa 617->618 619 c72591-c72598 618->619 620 c72300 618->620 620->617 620->619 621 c72307-c7231b 620->621 622 c72403-c72413 620->622 623 c72341-c7234e 620->623 624 c72581-c7258c 620->624 625 c72440-c72456 620->625 626 c7254d-c72553 620->626 627 c723cc-c723d7 620->627 628 c724cb-c724d4 620->628 629 c72492-c72498 620->629 630 c72391-c72394 620->630 631 c72510-c7251b 620->631 632 c72350-c72356 620->632 633 c7231d-c72333 620->633 634 c723dc-c723e8 620->634 635 c7245b-c72467 620->635 636 c72418-c72425 620->636 637 c723a7-c723b4 call c72709 620->637 638 c72520-c7252c 620->638 639 c723ed-c723f0 620->639 640 c7246c-c72472 620->640 641 c7242a-c7242d 620->641 642 c72376-c7238c 620->642 643 c72335-c7233f 620->643 644 c724b2-c724b8 620->644 645 c72531-c72537 620->645 621->618 622->618 623->618 624->618 625->618 650 c7259b-c725d2 626->650 657 c72555-c72565 626->657 627->618 628->650 655 c724da-c724ed 628->655 629->650 652 c7249e-c724ad 629->652 659 c72396-c7239b 630->659 660 c7239d 630->660 631->618 632->650 658 c7235c-c72371 632->658 633->618 634->618 635->618 636->618 662 c723ba-c723c7 637->662 638->618 646 c723f2-c723f7 639->646 647 c723f9 639->647 640->650 651 c72478-c7248d 640->651 648 c72436 641->648 649 c7242f-c72434 641->649 642->618 643->618 653 c724c1 644->653 654 c724ba-c724bf 644->654 645->650 656 c72539-c72548 645->656 664 c723fe 646->664 647->664 665 c7243b 648->665 649->665 651->618 652->618 666 c724c6 653->666 654->666 655->650 670 c724f3-c7250b 655->670 656->618 657->650 663 c72567-c7257c 657->663 658->618 661 c723a2 659->661 660->661 661->618 662->618 663->618 664->618 665->618 666->618 670->618
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 2@$O1
                                                                                                                                                                            • API String ID: 0-800371740
                                                                                                                                                                            • Opcode ID: c8e43ab737438c4f5b7d6ee9ce2de9e173947fc81ddfe0106762557fe527c40c
                                                                                                                                                                            • Instruction ID: 4371c181cae75046621c63ee53857358f82c70cfed52404a2a89568209406195
                                                                                                                                                                            • Opcode Fuzzy Hash: c8e43ab737438c4f5b7d6ee9ce2de9e173947fc81ddfe0106762557fe527c40c
                                                                                                                                                                            • Instruction Fuzzy Hash: C8813671A28201CFC304CF29CD98A1ABBB9FB49310B62C457D54ADF6A1C734ED61EB49
                                                                                                                                                                            Function 00C71995 Relevance: 1.6, Strings: 1, Instructions: 310COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: bca50f2301851dbe80a56f9bed3ffd9d8399284a478819cdbb7d6be4a61ebaa3
                                                                                                                                                                            • Instruction ID: 35ab88ca44b73c2686898e0ec2233da38c0fbef804f7524570a60344d2d66cc8
                                                                                                                                                                            • Opcode Fuzzy Hash: bca50f2301851dbe80a56f9bed3ffd9d8399284a478819cdbb7d6be4a61ebaa3
                                                                                                                                                                            • Instruction Fuzzy Hash: 3FC15271A18201CFC705CF28CC94A59BFB1FF49310B26C59AC84A9B6A2C734ED55EB55
                                                                                                                                                                            Function 00C71A1F Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: aad2efe11af0936091c55ff33a924ae58e36403c1edae69dcfb49744a94ab59e
                                                                                                                                                                            • Instruction ID: 5ad0675ad80f07e00e1433c7bebf17c52e2bce2bda02542dbdebeaebdb09a705
                                                                                                                                                                            • Opcode Fuzzy Hash: aad2efe11af0936091c55ff33a924ae58e36403c1edae69dcfb49744a94ab59e
                                                                                                                                                                            • Instruction Fuzzy Hash: B7B15671A18201CFC305CF28CC94A59BFB5FF5A310B26C45BC84A9B6A2C734EE55EB55
                                                                                                                                                                            Function 00C71A5E Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: 6906fbe2b6346094d1627ca5c7dfdf7040139caae4500baeaaacf2a2af4af9e4
                                                                                                                                                                            • Instruction ID: c2767b9f356fe36581a033c0a5107e431806fe9710feb5557f63577a6cf7b03c
                                                                                                                                                                            • Opcode Fuzzy Hash: 6906fbe2b6346094d1627ca5c7dfdf7040139caae4500baeaaacf2a2af4af9e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 00C155B1A18201CFC305CF28CC94A59BFB4FF59310B26C55AC84ADB6A2C734E955EB55
                                                                                                                                                                            Function 00C71AB8 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: a02d130f460a6559cccbc30334c7fb149116aefc2695eec418f50d2097d97478
                                                                                                                                                                            • Instruction ID: d12e43e5530f3bb293f5bb96a1d49960102ef8abe1252536f8a7780e2e3491a6
                                                                                                                                                                            • Opcode Fuzzy Hash: a02d130f460a6559cccbc30334c7fb149116aefc2695eec418f50d2097d97478
                                                                                                                                                                            • Instruction Fuzzy Hash: 26B14671A18201CFC305CF28CC98A59BFB4FF5A310B26C45BC84A9F6A2C734E956EB55
                                                                                                                                                                            Function 00C71DC8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: 29ea9318d9fef922f52a24479d71ee3de4c3eeeffde6157be95f09de17f00ad7
                                                                                                                                                                            • Instruction ID: d37ee5179c649dc867a73984ad2c94a1c38e5101393e4ad6f74edec465b15208
                                                                                                                                                                            • Opcode Fuzzy Hash: 29ea9318d9fef922f52a24479d71ee3de4c3eeeffde6157be95f09de17f00ad7
                                                                                                                                                                            • Instruction Fuzzy Hash: 10B17771A28201CFC305CF28CC98A59BFB4FF5A310B26C55BC8499F6A2C734E955EB45
                                                                                                                                                                            Function 00C71F24 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: 0751ad74e1ea3d9d222e0a1d66f0fe3f2e290eb0a74d857b1c25b4e5e16a4640
                                                                                                                                                                            • Instruction ID: e105cc33154cc98c6da5a941e240641fd81c1738596726153b2013e24a81530c
                                                                                                                                                                            • Opcode Fuzzy Hash: 0751ad74e1ea3d9d222e0a1d66f0fe3f2e290eb0a74d857b1c25b4e5e16a4640
                                                                                                                                                                            • Instruction Fuzzy Hash: D5B16671A18241CFC301CF68CC98A59BFB4FF49310B26C45AC84A9F6A2C734E956EB55
                                                                                                                                                                            Function 00C72057 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: a0284c5fef925539936f51cdddd18e6b676c4d2d867df77c52400fccbf5bba74
                                                                                                                                                                            • Instruction ID: 9f62527038faddafce9d196a8c986ee7d19273cb76aff1d22537a5c7b97ae1c9
                                                                                                                                                                            • Opcode Fuzzy Hash: a0284c5fef925539936f51cdddd18e6b676c4d2d867df77c52400fccbf5bba74
                                                                                                                                                                            • Instruction Fuzzy Hash: 1BB16671A18201CFC305CF28CC98A59BFB5FF59310B26C45BC88A9F6A2C734E955EB55
                                                                                                                                                                            Function 00C71CE7 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: 4246714c43ebe7a072ea5b757a8399430c493060e847eea949c1258851a699e8
                                                                                                                                                                            • Instruction ID: 2a72fc02f3f8a764671d77a21cd2045f39a0ea8d0b94eadd5e5b9e9623aad0df
                                                                                                                                                                            • Opcode Fuzzy Hash: 4246714c43ebe7a072ea5b757a8399430c493060e847eea949c1258851a699e8
                                                                                                                                                                            • Instruction Fuzzy Hash: A8B13571A18201CFC305CF28CC98959BFB4FF5A310B26C85BD84A9F6A2C734E955EB56
                                                                                                                                                                            Function 00C71D54 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: 57ac77f3089632c6c8fe57f450f8a59466e47856e01e8a05b24807d7c03b2aa5
                                                                                                                                                                            • Instruction ID: 860627514448a406a582b97903e7917eb07a3ea761ae072c501a8f4e9216136e
                                                                                                                                                                            • Opcode Fuzzy Hash: 57ac77f3089632c6c8fe57f450f8a59466e47856e01e8a05b24807d7c03b2aa5
                                                                                                                                                                            • Instruction Fuzzy Hash: FDB15671A18201CFC305CF28CC98A59BFB4FF59310B26C55BC84A9F6A2C734E955EB56
                                                                                                                                                                            Function 00C71E2A Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: O1
                                                                                                                                                                            • API String ID: 0-1595457996
                                                                                                                                                                            • Opcode ID: 29a833b53feae25b302a890209a85bce00301317244ad80f7ed8d201ef62a683
                                                                                                                                                                            • Instruction ID: bf99e532f0c2f98ed1f52da8f249d71ec088fdd27e456a5aa9d09faa65a732bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 29a833b53feae25b302a890209a85bce00301317244ad80f7ed8d201ef62a683
                                                                                                                                                                            • Instruction Fuzzy Hash: 2BB16771A18201CFC305CF28CC98959BFB4FF5A310B26C55BC84A9F6A2C734E956EB56
                                                                                                                                                                            Function 00C77348 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a8feab0d43d37ac8bddd05fec01f952ed0770274d6e67483711ef010b767a152
                                                                                                                                                                            • Instruction ID: 43387138ddec26a3df18bb5b3093aa67cf0e6e6c59778e15726383a398f1fea2
                                                                                                                                                                            • Opcode Fuzzy Hash: a8feab0d43d37ac8bddd05fec01f952ed0770274d6e67483711ef010b767a152
                                                                                                                                                                            • Instruction Fuzzy Hash: B751EF717002558BCB49EF78885166EBAE7EFC4305B10C929E01EDB394DF74ED429B82
                                                                                                                                                                            Function 00C7A4D3 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e0caae46fc1b509910bf446e53db84dab4961919deece9ecaaeb6aa45fb72e28
                                                                                                                                                                            • Instruction ID: 6911f9a0731173b73610ffaad7040f53463adf19d82e266cc08eff2548e59c39
                                                                                                                                                                            • Opcode Fuzzy Hash: e0caae46fc1b509910bf446e53db84dab4961919deece9ecaaeb6aa45fb72e28
                                                                                                                                                                            • Instruction Fuzzy Hash: AB61EF717002558BCB49EFB8845166EBBE7EFC8305B10C929E01ADB395DF74DD429B82
                                                                                                                                                                            Function 0913B28D Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 952 913b28d-913b32d 954 913b366-913b386 952->954 955 913b32f-913b339 952->955 962 913b388-913b392 954->962 963 913b3bf-913b3ee 954->963 955->954 956 913b33b-913b33d 955->956 957 913b360-913b363 956->957 958 913b33f-913b349 956->958 957->954 960 913b34b 958->960 961 913b34d-913b35c 958->961 960->961 961->961 964 913b35e 961->964 962->963 965 913b394-913b396 962->965 971 913b3f0-913b3fa 963->971 972 913b427-913b4e1 CreateProcessA 963->972 964->957 967 913b3b9-913b3bc 965->967 968 913b398-913b3a2 965->968 967->963 969 913b3a6-913b3b5 968->969 970 913b3a4 968->970 969->969 973 913b3b7 969->973 970->969 971->972 974 913b3fc-913b3fe 971->974 983 913b4e3-913b4e9 972->983 984 913b4ea-913b570 972->984 973->967 976 913b421-913b424 974->976 977 913b400-913b40a 974->977 976->972 978 913b40e-913b41d 977->978 979 913b40c 977->979 978->978 981 913b41f 978->981 979->978 981->976 983->984 994 913b572-913b576 984->994 995 913b580-913b584 984->995 994->995 996 913b578 994->996 997 913b586-913b58a 995->997 998 913b594-913b598 995->998 996->995 997->998 1001 913b58c 997->1001 999 913b59a-913b59e 998->999 1000 913b5a8-913b5ac 998->1000 999->1000 1002 913b5a0 999->1002 1003 913b5be-913b5c5 1000->1003 1004 913b5ae-913b5b4 1000->1004 1001->998 1002->1000 1005 913b5c7-913b5d6 1003->1005 1006 913b5dc 1003->1006 1004->1003 1005->1006 1008 913b5dd 1006->1008 1008->1008
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0913B4CE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                                                            • Opcode ID: 8ffb03b01cb68390915883143cedd02fccd74a84f04cd7fb8c1acf2b0a0e4f6e
                                                                                                                                                                            • Instruction ID: e036781a69facc5215034d21b0f63d7972c01d19ce8b74ce83ee209a53903879
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ffb03b01cb68390915883143cedd02fccd74a84f04cd7fb8c1acf2b0a0e4f6e
                                                                                                                                                                            • Instruction Fuzzy Hash: F0916171E04319CFDB14CFA8C891BEDBBB2BF44318F54816AE819A7250EB749985CF91
                                                                                                                                                                            Function 0913B298 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1009 913b298-913b32d 1011 913b366-913b386 1009->1011 1012 913b32f-913b339 1009->1012 1019 913b388-913b392 1011->1019 1020 913b3bf-913b3ee 1011->1020 1012->1011 1013 913b33b-913b33d 1012->1013 1014 913b360-913b363 1013->1014 1015 913b33f-913b349 1013->1015 1014->1011 1017 913b34b 1015->1017 1018 913b34d-913b35c 1015->1018 1017->1018 1018->1018 1021 913b35e 1018->1021 1019->1020 1022 913b394-913b396 1019->1022 1028 913b3f0-913b3fa 1020->1028 1029 913b427-913b4e1 CreateProcessA 1020->1029 1021->1014 1024 913b3b9-913b3bc 1022->1024 1025 913b398-913b3a2 1022->1025 1024->1020 1026 913b3a6-913b3b5 1025->1026 1027 913b3a4 1025->1027 1026->1026 1030 913b3b7 1026->1030 1027->1026 1028->1029 1031 913b3fc-913b3fe 1028->1031 1040 913b4e3-913b4e9 1029->1040 1041 913b4ea-913b570 1029->1041 1030->1024 1033 913b421-913b424 1031->1033 1034 913b400-913b40a 1031->1034 1033->1029 1035 913b40e-913b41d 1034->1035 1036 913b40c 1034->1036 1035->1035 1038 913b41f 1035->1038 1036->1035 1038->1033 1040->1041 1051 913b572-913b576 1041->1051 1052 913b580-913b584 1041->1052 1051->1052 1053 913b578 1051->1053 1054 913b586-913b58a 1052->1054 1055 913b594-913b598 1052->1055 1053->1052 1054->1055 1058 913b58c 1054->1058 1056 913b59a-913b59e 1055->1056 1057 913b5a8-913b5ac 1055->1057 1056->1057 1059 913b5a0 1056->1059 1060 913b5be-913b5c5 1057->1060 1061 913b5ae-913b5b4 1057->1061 1058->1055 1059->1057 1062 913b5c7-913b5d6 1060->1062 1063 913b5dc 1060->1063 1061->1060 1062->1063 1065 913b5dd 1063->1065 1065->1065
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0913B4CE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                                                            • Opcode ID: f86952b036e42e311944aaafd8821645492b846499fce39a5e0591113cf9239e
                                                                                                                                                                            • Instruction ID: 8865ef167f1bd501ee4ba896903a3c905af1abe1d3652ece68f515f3bc9660b8
                                                                                                                                                                            • Opcode Fuzzy Hash: f86952b036e42e311944aaafd8821645492b846499fce39a5e0591113cf9239e
                                                                                                                                                                            • Instruction Fuzzy Hash: 0C916071E04319CFDB14CFA8C881BEDBBB2BF48318F548169E819A7250EB749985CF91
                                                                                                                                                                            Function 04E1519B Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1066 4e1519b-4e151a7 1067 4e151a9-4e151cd 1066->1067 1068 4e151dd-4e15256 1066->1068 1069 4e151d5-4e151d6 1067->1069 1070 4e151d0 call 4e131b0 1067->1070 1072 4e15261-4e15268 1068->1072 1073 4e15258-4e1525e 1068->1073 1070->1069 1074 4e15273-4e15312 CreateWindowExW 1072->1074 1075 4e1526a-4e15270 1072->1075 1073->1072 1077 4e15314-4e1531a 1074->1077 1078 4e1531b-4e15353 1074->1078 1075->1074 1077->1078 1082 4e15360 1078->1082 1083 4e15355-4e15358 1078->1083 1084 4e15361 1082->1084 1083->1082 1084->1084
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E15302
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                            • Opcode ID: 867254d76b63d54b4fa1ba8b8afa22530746616712853a434a0cd488be8f5df8
                                                                                                                                                                            • Instruction ID: f348faacfabefdd4d95988c339122b3a2d00a3c9561834f3f5e1675cf9acaa08
                                                                                                                                                                            • Opcode Fuzzy Hash: 867254d76b63d54b4fa1ba8b8afa22530746616712853a434a0cd488be8f5df8
                                                                                                                                                                            • Instruction Fuzzy Hash: 3251F271D00249EFDF15CF99C884ADDBFB1BF48314F24816AE818AB220D771A955CF51
                                                                                                                                                                            Function 04E151E4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1085 4e151e4-4e15256 1087 4e15261-4e15268 1085->1087 1088 4e15258-4e1525e 1085->1088 1089 4e15273-4e152ab 1087->1089 1090 4e1526a-4e15270 1087->1090 1088->1087 1091 4e152b3-4e15312 CreateWindowExW 1089->1091 1090->1089 1092 4e15314-4e1531a 1091->1092 1093 4e1531b-4e15353 1091->1093 1092->1093 1097 4e15360 1093->1097 1098 4e15355-4e15358 1093->1098 1099 4e15361 1097->1099 1098->1097 1099->1099
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E15302
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                            • Opcode ID: e96320b2a598c1de9cf052e87df5a9a597116496fbfdb24366a16c436cc58a13
                                                                                                                                                                            • Instruction ID: 74c53351bdb5d6ab5f0f4008d6e6b690dcc0afddc454c84b2306884f8e500d54
                                                                                                                                                                            • Opcode Fuzzy Hash: e96320b2a598c1de9cf052e87df5a9a597116496fbfdb24366a16c436cc58a13
                                                                                                                                                                            • Instruction Fuzzy Hash: AA51E5B1D10349DFDB14CF99C484ADDBBB5FF88314F64812AE418AB210D774A945CF51
                                                                                                                                                                            Function 04E131B0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1100 4e131b0-4e15256 1103 4e15261-4e15268 1100->1103 1104 4e15258-4e1525e 1100->1104 1105 4e15273-4e15312 CreateWindowExW 1103->1105 1106 4e1526a-4e15270 1103->1106 1104->1103 1108 4e15314-4e1531a 1105->1108 1109 4e1531b-4e15353 1105->1109 1106->1105 1108->1109 1113 4e15360 1109->1113 1114 4e15355-4e15358 1109->1114 1115 4e15361 1113->1115 1114->1113 1115->1115
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E15302
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                            • Opcode ID: d66db82bdebe39db81da7fdce506193338f6f5272ab2abdaa09a68e65223c09c
                                                                                                                                                                            • Instruction ID: a1a6f78bcd46a575ce28cc1125d0f914f48a204bd5153b0c55b03d70966fa3fc
                                                                                                                                                                            • Opcode Fuzzy Hash: d66db82bdebe39db81da7fdce506193338f6f5272ab2abdaa09a68e65223c09c
                                                                                                                                                                            • Instruction Fuzzy Hash: 4251D3B1D10349EFDB14CF99C884ADEBBB5FF88314F64812AE819AB210D774A945CF91
                                                                                                                                                                            Function 04E13304 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1116 4e13304-4e177fc 1119 4e17802-4e17807 1116->1119 1120 4e178ac-4e178cc call 4e131dc 1116->1120 1122 4e17809-4e17840 1119->1122 1123 4e1785a-4e17892 CallWindowProcW 1119->1123 1128 4e178cf-4e178dc 1120->1128 1129 4e17842-4e17848 1122->1129 1130 4e17849-4e17858 1122->1130 1125 4e17894-4e1789a 1123->1125 1126 4e1789b-4e178aa 1123->1126 1125->1126 1126->1128 1129->1130 1130->1128
                                                                                                                                                                            APIs
                                                                                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04E17881
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallProcWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2714655100-0
                                                                                                                                                                            • Opcode ID: 130daf95cc58797f5a9c57f23e6a65cb2fbd9cfdebde1d547e9ca7687a8cc297
                                                                                                                                                                            • Instruction ID: 46f6fb04885a4c6c72cb7c55b09269482f2f672c23dfa6bf54fa0c414fea60e8
                                                                                                                                                                            • Opcode Fuzzy Hash: 130daf95cc58797f5a9c57f23e6a65cb2fbd9cfdebde1d547e9ca7687a8cc297
                                                                                                                                                                            • Instruction Fuzzy Hash: 354129B5A00319CFDB14CF99C888AAABBF5FF88714F24C459D519AB321D774A845CFA0
                                                                                                                                                                            Function 00C78E44 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00C78F01
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: 9039a49390d89bee0b9bd9ee1cec3c78535a61542f6a18dcbc32c39196d1c224
                                                                                                                                                                            • Instruction ID: 03bf47d140f5a311599ae2460f98fbfcf290f49be9ce8248f0a989ff30c1102c
                                                                                                                                                                            • Opcode Fuzzy Hash: 9039a49390d89bee0b9bd9ee1cec3c78535a61542f6a18dcbc32c39196d1c224
                                                                                                                                                                            • Instruction Fuzzy Hash: C741CEB0D00719CFDB24DFA9C848B9DBBF2BF88314F20806AD508AB255DB756949CF90
                                                                                                                                                                            Function 00C779D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00C78F01
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: fc08f0e35a5cb4a72486ba8361946239250a683e9b1f2969fe36ea7a28b19578
                                                                                                                                                                            • Instruction ID: 73e09ed8da8e98dc2ced1fbd73f157aa28c7c1855fae2d9b583add2c87843b4e
                                                                                                                                                                            • Opcode Fuzzy Hash: fc08f0e35a5cb4a72486ba8361946239250a683e9b1f2969fe36ea7a28b19578
                                                                                                                                                                            • Instruction Fuzzy Hash: 6641C1B0C00719CFDB24DFA9C848B9DBBF6BF49704F20806AD509AB255DB756949CF90
                                                                                                                                                                            Function 04E14D51 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E15302
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                            • Opcode ID: 2065ef5063d13b3970119f3f86f017ded9c6af4385bcf4e316481a0c95322946
                                                                                                                                                                            • Instruction ID: def52054f3135916bd65982edc201dc50acb7ef351a141d59cf217475f8d7506
                                                                                                                                                                            • Opcode Fuzzy Hash: 2065ef5063d13b3970119f3f86f017ded9c6af4385bcf4e316481a0c95322946
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B4106B1D10309EFDF04CF99C884ADDBBB1BF88304F24911AE819AB220D770A985CF91
                                                                                                                                                                            Function 0913B009 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0913B0A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                                                            • Opcode ID: a22a1b06ce7877ca00741c6bb1bedb750198d93b95e81aad4919bd2145c7d329
                                                                                                                                                                            • Instruction ID: e8571e9d72615dc41be294c9c2ffd66177cfa5aad0f355cc7e9a2cbd23e8656e
                                                                                                                                                                            • Opcode Fuzzy Hash: a22a1b06ce7877ca00741c6bb1bedb750198d93b95e81aad4919bd2145c7d329
                                                                                                                                                                            • Instruction Fuzzy Hash: ED214B75D003499FCB14DFA9C845BEEBBF1FF88314F10842AE919A7250D7789554CB60
                                                                                                                                                                            Function 0913B010 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0913B0A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                                                            • Opcode ID: b8a62d86676fe5b49ba4863d8363d1530cd2c89be93976a96b03fc630e4103ae
                                                                                                                                                                            • Instruction ID: 25f8875ab157cf430a59f7916092acede1590be67dab0a0f3dfe50829ccec370
                                                                                                                                                                            • Opcode Fuzzy Hash: b8a62d86676fe5b49ba4863d8363d1530cd2c89be93976a96b03fc630e4103ae
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A2169B1D003499FCB10DFAAC885BEEBBF5FF48314F108429E918A7240D7789954CBA0
                                                                                                                                                                            Function 0913AE70 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0913AEF6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ContextThreadWow64
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 983334009-0
                                                                                                                                                                            • Opcode ID: b95ab9ea359e7741971f3338dad88cc694d06a2b9fc87aee557aa63efccba4d0
                                                                                                                                                                            • Instruction ID: 0c26d865d37b19b6bff21f70a4a85cbb4104dd1fd3eb0aa73b958b4b39328767
                                                                                                                                                                            • Opcode Fuzzy Hash: b95ab9ea359e7741971f3338dad88cc694d06a2b9fc87aee557aa63efccba4d0
                                                                                                                                                                            • Instruction Fuzzy Hash: DF2168B5E003098FDB10DFAAC585BEEBBF5EF88314F14842AD559A7240CB789945CFA4
                                                                                                                                                                            Function 0913B0F8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0913B180
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                                                            • Opcode ID: 55dade2a853ddf96b7e6df68afb487d45351cfbc41d37bc9e6dc81e502b715c5
                                                                                                                                                                            • Instruction ID: 1491b8b25a3230774e0be721a843309271b8f321df7e981e43b27b63b656a2bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 55dade2a853ddf96b7e6df68afb487d45351cfbc41d37bc9e6dc81e502b715c5
                                                                                                                                                                            • Instruction Fuzzy Hash: 312148B5D003499FCB10DFAAC885AEEFBF1FF48314F10842AE559A7250D7389950DBA4
                                                                                                                                                                            Function 0913AE78 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0913AEF6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ContextThreadWow64
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 983334009-0
                                                                                                                                                                            • Opcode ID: f46564bf2108b308cf9ff5bd178b2f9f71327446e24001466e8c9e1e73a2294f
                                                                                                                                                                            • Instruction ID: 2f324221e8cfb79f1ad8a15f672ee550c9ad50fba567f492da8aa57bb50fbf2d
                                                                                                                                                                            • Opcode Fuzzy Hash: f46564bf2108b308cf9ff5bd178b2f9f71327446e24001466e8c9e1e73a2294f
                                                                                                                                                                            • Instruction Fuzzy Hash: E62149B1D003098FDB10DFAAC485BEEBBF4EF88324F508429D459A7241CB789945CFA4
                                                                                                                                                                            Function 0913B100 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0913B180
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                                                            • Opcode ID: 49af3f136af8d78eb842bcb6493843e771493e1dfa9a4a62bd4c19efdbf1b7f6
                                                                                                                                                                            • Instruction ID: fff6aafc97b97a077754702ee8db282ad4ea38ee9096e6a9701c05f8701de8bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 49af3f136af8d78eb842bcb6493843e771493e1dfa9a4a62bd4c19efdbf1b7f6
                                                                                                                                                                            • Instruction Fuzzy Hash: CF2137B1D003499FCB10DFAAC885AEEFBF5FF48324F50842AE559A7240D7389954DBA4
                                                                                                                                                                            Function 0913AF49 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0913AFBE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: 56608cad7a1e1ebf1d141983ed1d3ea46d100930187e0a8dcd7eb452d693bd71
                                                                                                                                                                            • Instruction ID: cfb7cb605d4f18324d0997efe79f01696179f73568dc067ca429dc3aa5d1fa5d
                                                                                                                                                                            • Opcode Fuzzy Hash: 56608cad7a1e1ebf1d141983ed1d3ea46d100930187e0a8dcd7eb452d693bd71
                                                                                                                                                                            • Instruction Fuzzy Hash: 171189B59002488FCB10DFAAC845AEEBFF5EF88314F20881AE559A7650C7359550CFA0
                                                                                                                                                                            Function 0913AF50 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0913AFBE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: 73290a8f27a77d8312a1aab08f70eb1ef758ff09384e2dbd596cb04add516196
                                                                                                                                                                            • Instruction ID: cb23a263c84be0c3516162306bbdeeab573f7594582ced3faf733a879051726c
                                                                                                                                                                            • Opcode Fuzzy Hash: 73290a8f27a77d8312a1aab08f70eb1ef758ff09384e2dbd596cb04add516196
                                                                                                                                                                            • Instruction Fuzzy Hash: 621167B19002488FCB10DFAAC844ADFFFF5EF88324F208819E559A7250C739A950DFA0
                                                                                                                                                                            Function 0913ADC1 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ResumeThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                                                            • Opcode ID: 88c7aff1d3ba36dc1e65bb393ad7adafadaa783dccf1fda69ba21c33fce418f3
                                                                                                                                                                            • Instruction ID: 4034be6c51f699a9fe353c888a2e841691031078b4ff28cec96ba5ff9bb16e1d
                                                                                                                                                                            • Opcode Fuzzy Hash: 88c7aff1d3ba36dc1e65bb393ad7adafadaa783dccf1fda69ba21c33fce418f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E1137B5D003488FCB24DFAAD445BEEBBF5AF88314F20842AD45AA7250C739A944CB94
                                                                                                                                                                            Function 0913ADC8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ResumeThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                                                            • Opcode ID: 0ce1d0aa492cc26fd07a1c2c5face794bfe9e09b6e707be9fc788caf044fcc2c
                                                                                                                                                                            • Instruction ID: 81191d1fd2aea8f15539328e7a05170bfdcc636ff8dc4461cdbcfb00b0846898
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ce1d0aa492cc26fd07a1c2c5face794bfe9e09b6e707be9fc788caf044fcc2c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D1125B19003488FCB10DFAAC449B9EFBF5EF88324F208429D559A7240CB79A944CBA4
                                                                                                                                                                            Function 00C7E7D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00C7E83E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                            • Opcode ID: aa2df644b8c458dce233a476cb8881bc2264759afd8e2b2fd03884b25d016018
                                                                                                                                                                            • Instruction ID: 08ccb69c7cc043813b2cda5241c80f4a7340581ec49ba66e01a496d5799918f5
                                                                                                                                                                            • Opcode Fuzzy Hash: aa2df644b8c458dce233a476cb8881bc2264759afd8e2b2fd03884b25d016018
                                                                                                                                                                            • Instruction Fuzzy Hash: 8E11E0B6C003498FDB10DF9AD444ADEFBF4EB88324F14C46AD429A7650D379A645CFA2
                                                                                                                                                                            Function 0913C14C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0913FB6D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePost
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                                                            • Opcode ID: f0c59738daa466591c0969553fe4069054e14d6e380859236f50f6666d86123d
                                                                                                                                                                            • Instruction ID: 7e5b709598aa6b1491a1dfcaba770f995e32ffca3a719b5605a190aa2412910b
                                                                                                                                                                            • Opcode Fuzzy Hash: f0c59738daa466591c0969553fe4069054e14d6e380859236f50f6666d86123d
                                                                                                                                                                            • Instruction Fuzzy Hash: 1E11F2B59003489FDB10DF9AD849BDEBFF8EB48324F108419E518A7350C375A954CFA5
                                                                                                                                                                            Function 0913FB08 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0913FB6D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePost
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                                                            • Opcode ID: 88da53a5d1ba1336e29f5cce1f0ef95d46b2fd1b0c11d752f3666181332c4ae1
                                                                                                                                                                            • Instruction ID: eaef9b97cab87d51ff8500a08d55681016c33bfd8fa8277ff32cd39c7ff0b21d
                                                                                                                                                                            • Opcode Fuzzy Hash: 88da53a5d1ba1336e29f5cce1f0ef95d46b2fd1b0c11d752f3666181332c4ae1
                                                                                                                                                                            • Instruction Fuzzy Hash: EB1122B5800349CFDB10DF99C989BDEBFF4EB48324F24841AE458A3210C379A594CFA0
                                                                                                                                                                            Function 00C1D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729619712.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c1d000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 41c5f8a705787a603a5ccdabbfd9720c3c3dd6cd887e6708a0da1a01fea5b8b5
                                                                                                                                                                            • Instruction ID: dd5602691ab76914839ff1afe82e280ee693974eeea04feb81ec34c4909d8a0b
                                                                                                                                                                            • Opcode Fuzzy Hash: 41c5f8a705787a603a5ccdabbfd9720c3c3dd6cd887e6708a0da1a01fea5b8b5
                                                                                                                                                                            • Instruction Fuzzy Hash: 542148B1500200DFDB05DF04D9C0B56BF65FB98324F20C568E80B0B256C336E896EBA2
                                                                                                                                                                            Function 00C2D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729662257.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c2d000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8fe326eecef89861de6bbae0ac27159363ceb87e75c390ff512d3397f350fe16
                                                                                                                                                                            • Instruction ID: d1c1cfb9918083fea56262d54bf697e014264a8466dea17e2f40968cfe0234d5
                                                                                                                                                                            • Opcode Fuzzy Hash: 8fe326eecef89861de6bbae0ac27159363ceb87e75c390ff512d3397f350fe16
                                                                                                                                                                            • Instruction Fuzzy Hash: 9321D075604340DFCB14DF14E9C4B26BBA5EBA4314F24C969E90B4B6A6C33AD807CA61
                                                                                                                                                                            Function 00C2D005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729662257.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c2d000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b3d58be272541ea3511ecf688de9737e1cbb774e2389d52f88ba840b5a7bf9c8
                                                                                                                                                                            • Instruction ID: 1aafc944efbb7628fdd2090614779d4f15bd4eae4a26208e6267027ee98d6c74
                                                                                                                                                                            • Opcode Fuzzy Hash: b3d58be272541ea3511ecf688de9737e1cbb774e2389d52f88ba840b5a7bf9c8
                                                                                                                                                                            • Instruction Fuzzy Hash: 1C219F755093C08FCB12CF24D994715BF71EB56314F28C5EAD84A8F6A7C33A980ACB62
                                                                                                                                                                            Function 00C1D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729619712.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c1d000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction ID: 3c7ae9d964628e1c25c4b7b0c52db42bb5996bcd0e908b5a1abcf267620b9512
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction Fuzzy Hash: 77112676504240CFCB16CF00D5C4B56BF72FB94324F24C6A9D80A0B256C33AE99ADBA1
                                                                                                                                                                            Function 00C1D731 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729619712.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c1d000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ee584adbedc31331c407abca76ca1f221ef17ed4aa957ae09d92b5fdf1740a38
                                                                                                                                                                            • Instruction ID: 2240189766b1299541cdb13ecf0652eb43285b4044b24ee7d46b4e463fa9d475
                                                                                                                                                                            • Opcode Fuzzy Hash: ee584adbedc31331c407abca76ca1f221ef17ed4aa957ae09d92b5fdf1740a38
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D01F7710043449AE7104A26CCC47A6FFD8DF52325F28C919ED1A4A2C6C2789880E6F1
                                                                                                                                                                            Function 00C1D730 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729619712.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c1d000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 07fa56894944641e0b5442ccdd071462e73ea9e7c5db9ceec9d8b8153c70854f
                                                                                                                                                                            • Instruction ID: 8c319393d7ef77be4a6469f4dfc5b3da4a592cebe45369bd78095d04aeadf3a5
                                                                                                                                                                            • Opcode Fuzzy Hash: 07fa56894944641e0b5442ccdd071462e73ea9e7c5db9ceec9d8b8153c70854f
                                                                                                                                                                            • Instruction Fuzzy Hash: ACF0C2320043449AE7108A15CC88BA2FFD8EB91734F18C55AED494A2C6C2789880DAB0

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 04E13938 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1a78e1a8db8e8d80f94cde6ca66809c54b04ac0bc185e64bf15ade30bab4bd05
                                                                                                                                                                            • Instruction ID: 4d28efe2fb435d8812e53a5bc9ab6a1452824780670efbb44c0f4e44b809c9a8
                                                                                                                                                                            • Opcode Fuzzy Hash: 1a78e1a8db8e8d80f94cde6ca66809c54b04ac0bc185e64bf15ade30bab4bd05
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F1292B2501F468EE751DF66EC4C38B7AA2BB85328B904709D2613B2F1DBB4114ECF84
                                                                                                                                                                            Function 09138968 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6735fe3a1389797231118d5786cea3132966391eaadc5ce48501795c1306ee85
                                                                                                                                                                            • Instruction ID: 262a8ade69bf666fe83af4c8b9601b9d9163421a01971e59eb0f949f8d00e4a6
                                                                                                                                                                            • Opcode Fuzzy Hash: 6735fe3a1389797231118d5786cea3132966391eaadc5ce48501795c1306ee85
                                                                                                                                                                            • Instruction Fuzzy Hash: 6FE1E774E002198FCB14DFA9C5909AEBBB2FF89304F64C169E415AB355D734AD42CFA1
                                                                                                                                                                            Function 09138DA0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 528325f86c9999e559e20cecad65ed0c958fb2a021ad0994cb2515dcad1e05fa
                                                                                                                                                                            • Instruction ID: 92626db6cf1a06e4fe89c383b7eb25548b075eb2dbf9a803e925d5a7993afcf8
                                                                                                                                                                            • Opcode Fuzzy Hash: 528325f86c9999e559e20cecad65ed0c958fb2a021ad0994cb2515dcad1e05fa
                                                                                                                                                                            • Instruction Fuzzy Hash: E3E1F574E002198FDB14DFA9C590AAEBBB2FF89308F64C169E415AB355D734AD42CF60
                                                                                                                                                                            Function 091380F8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 515abf7165a720cc83d08ba095e745986df0f97e93aa44ab18ed052924cf9adf
                                                                                                                                                                            • Instruction ID: a5bc849b26287b2248fdf08dee61fc37b70b2f7132ad510e0bc3e85dcacc1713
                                                                                                                                                                            • Opcode Fuzzy Hash: 515abf7165a720cc83d08ba095e745986df0f97e93aa44ab18ed052924cf9adf
                                                                                                                                                                            • Instruction Fuzzy Hash: C9E1E774E005198FCB14DFA9C590AAEBBB2FF89304F24C169E415AB356D734AD42CFA1
                                                                                                                                                                            Function 09138530 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a856f59fb92a08142e7a74ff04d6b41d35122f099b4d0b6c0a27000e3b982a6c
                                                                                                                                                                            • Instruction ID: f08d5f62b7d75071a8923c3e3cd04fb281e36e598eee177be8def759923eafcc
                                                                                                                                                                            • Opcode Fuzzy Hash: a856f59fb92a08142e7a74ff04d6b41d35122f099b4d0b6c0a27000e3b982a6c
                                                                                                                                                                            • Instruction Fuzzy Hash: D6E1E6B4E001198FCB14DFA9C5909AEFBB2FF89308F64C1A9E415AB355D734A942CF61
                                                                                                                                                                            Function 0913A5A0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 255d0c5d2852f550a209bd96e5b7c01e90d2256458b59c91fe12d187d0035b4d
                                                                                                                                                                            • Instruction ID: a0c595489d17bfa91e3889074280c5c4495d4fb8cf268bab6d70c6efe5eb0072
                                                                                                                                                                            • Opcode Fuzzy Hash: 255d0c5d2852f550a209bd96e5b7c01e90d2256458b59c91fe12d187d0035b4d
                                                                                                                                                                            • Instruction Fuzzy Hash: 9CE10674E001198FCB14DFA8C590AAEBBB2FF89308F64C269E455AB355D735A942CF60
                                                                                                                                                                            Function 04E1E8A9 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b3b408c64a6cf1a30fb13a07f3e8d1cd5c732b6ab129339ec36ef7a80685a976
                                                                                                                                                                            • Instruction ID: f3ce53933bb5a70b81f75eca2ab7648d16c09cb756f7f9da9fe25724ec3991cd
                                                                                                                                                                            • Opcode Fuzzy Hash: b3b408c64a6cf1a30fb13a07f3e8d1cd5c732b6ab129339ec36ef7a80685a976
                                                                                                                                                                            • Instruction Fuzzy Hash: 7FD10430C10B5ACADB01EB64D954A99B7B1FFD5301F108B9AE0493B255FB74AAC5CF81
                                                                                                                                                                            Function 04E1E8B8 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f165c876d39e72f33ff271cf05b8b9d2ecf6b1d63677df307a34a1ad6a4fcaa1
                                                                                                                                                                            • Instruction ID: b67057b21da2f192ee62daaaf3121872d1ab1be8209c3d3aac36da18a9a4c253
                                                                                                                                                                            • Opcode Fuzzy Hash: f165c876d39e72f33ff271cf05b8b9d2ecf6b1d63677df307a34a1ad6a4fcaa1
                                                                                                                                                                            • Instruction Fuzzy Hash: C0D1F430C20A5ACACB01EB64D954A99B7B1FFD5301F108B9AE0493B255FB74AAC5CF81
                                                                                                                                                                            Function 04E11504 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4f66de9730e0c523b36a21fdc51be18295159250daabb0d35e782704fa53b85b
                                                                                                                                                                            • Instruction ID: 2e72bb999c04bb6ef2f998ce4e249b3612028d919d704e152aa75e99bc0505b6
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f66de9730e0c523b36a21fdc51be18295159250daabb0d35e782704fa53b85b
                                                                                                                                                                            • Instruction Fuzzy Hash: E8A18F36E402098FCF05DFB5C84459EB7B2FF88304B1555AAEA06BB264DB31E945CF90
                                                                                                                                                                            Function 04E13928 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1739652022.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_4e10000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f81a2e9e81b837d14ecebd685a9e54e1530eb150a777a9aa4bdca82269cd2e9c
                                                                                                                                                                            • Instruction ID: 055fb0556ae32bd970f5ffa736826652523a4e46d115954086f9590cfb1a2be9
                                                                                                                                                                            • Opcode Fuzzy Hash: f81a2e9e81b837d14ecebd685a9e54e1530eb150a777a9aa4bdca82269cd2e9c
                                                                                                                                                                            • Instruction Fuzzy Hash: BDC1D2B2900B468ED711DF66EC4838BBBB2BB85328B654719D2617B2F1DBB4144ECF44
                                                                                                                                                                            Function 09138520 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3c2c2e25344271672175c70f3ff7a2007f742da173dacdcf294a4d0a3664fbfb
                                                                                                                                                                            • Instruction ID: 355cd0bed15a1fad64a9861eea62360bd01a55501651fd24bc6ede1a1fc4e51b
                                                                                                                                                                            • Opcode Fuzzy Hash: 3c2c2e25344271672175c70f3ff7a2007f742da173dacdcf294a4d0a3664fbfb
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A51FBB0E002198FDB14DFA9C5805AEBBF2FF89304F64C1AAE419AB355D7349942CF61
                                                                                                                                                                            Function 0913A58F Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1742977369.0000000009130000.00000040.00000800.00020000.00000000.sdmp, Offset: 09130000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9130000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ea72fb17415d5c5427fd7408ee8b5057b7544296d3b9e4aa0515bc339147c187
                                                                                                                                                                            • Instruction ID: 32f1987d8e7d4785eb9b390194e966dc3330f4d740552d6e7346e4c63bcfcb04
                                                                                                                                                                            • Opcode Fuzzy Hash: ea72fb17415d5c5427fd7408ee8b5057b7544296d3b9e4aa0515bc339147c187
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F512874E002198FCB18CFA9C5805AEBBF2FF89304F64C16AD458AB356D7359942CFA1
                                                                                                                                                                            Function 00C73648 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1729905455.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_c70000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: da81acff27ca1e7b67e11549f7375ddcc3ead8aef87246250623a432bfb71bda
                                                                                                                                                                            • Instruction ID: c4ed7f8faf61db1a408e29a57bc5e1bde9e3e4ca05fef5a49a355096fd5093b5
                                                                                                                                                                            • Opcode Fuzzy Hash: da81acff27ca1e7b67e11549f7375ddcc3ead8aef87246250623a432bfb71bda
                                                                                                                                                                            • Instruction Fuzzy Hash: E441A371F2425ACFCB44CF5EC98596EBBB6BB88740F25C126E809EB351C234DE019B91

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:2.7%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:13.5%
                                                                                                                                                                            Total number of Nodes:817
                                                                                                                                                                            Total number of Limit Nodes:27
                                                                                                                                                                            execution_graph 46466 446802 46467 44680d RtlFreeHeap 46466->46467 46468 446836 _free 46466->46468 46467->46468 46469 446822 46467->46469 46472 44062d 20 API calls __dosmaperr 46469->46472 46471 446828 GetLastError 46471->46468 46472->46471 46473 404e26 WaitForSingleObject 46474 404e40 SetEvent CloseHandle 46473->46474 46475 404e57 closesocket 46473->46475 46476 404ed8 46474->46476 46477 404e64 46475->46477 46478 404e7a 46477->46478 46486 4050e4 83 API calls 46477->46486 46480 404e8c WaitForSingleObject 46478->46480 46481 404ece SetEvent CloseHandle 46478->46481 46487 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46480->46487 46481->46476 46483 404e9b SetEvent WaitForSingleObject 46488 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46483->46488 46485 404eb3 SetEvent CloseHandle CloseHandle 46485->46481 46486->46478 46487->46483 46488->46485 46489 434918 46490 434924 CallCatchBlock 46489->46490 46515 434627 46490->46515 46492 43492b 46494 434954 46492->46494 46809 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46492->46809 46499 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46494->46499 46810 4442d2 5 API calls ___crtLCMapStringA 46494->46810 46496 43496d 46498 434973 CallCatchBlock 46496->46498 46811 444276 5 API calls ___crtLCMapStringA 46496->46811 46500 4349f3 46499->46500 46812 443487 35 API calls 5 library calls 46499->46812 46526 434ba5 46500->46526 46510 434a1f 46512 434a28 46510->46512 46813 443462 28 API calls _Atexit 46510->46813 46814 43479e 13 API calls 2 library calls 46512->46814 46516 434630 46515->46516 46815 434cb6 IsProcessorFeaturePresent 46516->46815 46518 43463c 46816 438fb1 10 API calls 4 library calls 46518->46816 46520 434641 46521 434645 46520->46521 46817 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46520->46817 46521->46492 46523 43464e 46524 43465c 46523->46524 46818 438fda 8 API calls 3 library calls 46523->46818 46524->46492 46819 436f10 46526->46819 46529 4349f9 46530 444223 46529->46530 46821 44f0d9 46530->46821 46532 44422c 46533 434a02 46532->46533 46825 446895 35 API calls 46532->46825 46535 40ea00 46533->46535 46827 41cbe1 LoadLibraryA GetProcAddress 46535->46827 46537 40ea1c GetModuleFileNameW 46832 40f3fe 46537->46832 46539 40ea38 46847 4020f6 46539->46847 46542 4020f6 28 API calls 46543 40ea56 46542->46543 46853 41beac 46543->46853 46547 40ea68 46879 401e8d 46547->46879 46549 40ea71 46550 40ea84 46549->46550 46551 40eace 46549->46551 47046 40fbee 95 API calls 46550->47046 46885 401e65 46551->46885 46554 40eade 46558 401e65 22 API calls 46554->46558 46555 40ea96 46556 401e65 22 API calls 46555->46556 46557 40eaa2 46556->46557 47047 410f72 36 API calls __EH_prolog 46557->47047 46559 40eafd 46558->46559 46890 40531e 46559->46890 46562 40eab4 47048 40fb9f 77 API calls 46562->47048 46563 40eb0c 46895 406383 46563->46895 46566 40eabd 47049 40f3eb 70 API calls 46566->47049 46571 40eac6 46574 401fd8 11 API calls 46571->46574 46576 40ef36 46574->46576 46575 401fd8 11 API calls 46577 40eb36 46575->46577 46804 443396 GetModuleHandleW 46576->46804 46578 401e65 22 API calls 46577->46578 46579 40eb3f 46578->46579 46912 401fc0 46579->46912 46581 40eb4a 46582 401e65 22 API calls 46581->46582 46583 40eb63 46582->46583 46584 401e65 22 API calls 46583->46584 46585 40eb7e 46584->46585 46586 40ebe9 46585->46586 47050 406c59 28 API calls 46585->47050 46587 401e65 22 API calls 46586->46587 46592 40ebf6 46587->46592 46589 40ebab 46590 401fe2 28 API calls 46589->46590 46591 40ebb7 46590->46591 46593 401fd8 11 API calls 46591->46593 46609 40ec3d 46592->46609 46916 413584 RegOpenKeyExA 46592->46916 46594 40ebc0 46593->46594 46598 413584 3 API calls 46594->46598 46596 40ec43 46596->46571 46922 41b354 46596->46922 46600 40ebdf 46598->46600 46600->46586 46603 40f38a 46600->46603 46601 40ec5e 46604 40ecb1 46601->46604 46939 407751 46601->46939 46602 40ec21 46602->46609 47051 4139e4 30 API calls 46602->47051 47094 4139e4 30 API calls 46603->47094 46607 401e65 22 API calls 46604->46607 46611 40ecba 46607->46611 46919 40d0a4 46609->46919 46610 40f3a0 47095 4124b0 65 API calls ___scrt_get_show_window_mode 46610->47095 46619 40ecc6 46611->46619 46620 40eccb 46611->46620 46614 40ec87 46617 401e65 22 API calls 46614->46617 46615 40ec7d 47052 407773 30 API calls 46615->47052 46629 40ec90 46617->46629 46618 40f388 46622 41bcef 28 API calls 46618->46622 47055 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46619->47055 46625 401e65 22 API calls 46620->46625 46621 40ec82 47053 40729b 97 API calls 46621->47053 46626 40f3ba 46622->46626 46627 40ecd4 46625->46627 47096 413a5e RegOpenKeyExW RegDeleteValueW 46626->47096 46943 41bcef 46627->46943 46629->46604 46633 40ecac 46629->46633 46630 40ecdf 46947 401f13 46630->46947 47054 40729b 97 API calls 46633->47054 46634 40f3cd 46637 401f09 11 API calls 46634->46637 46639 40f3d7 46637->46639 46641 401f09 11 API calls 46639->46641 46642 40f3e0 46641->46642 47097 40dd7d 27 API calls 46642->47097 46643 401e65 22 API calls 46645 40ecfc 46643->46645 46648 401e65 22 API calls 46645->46648 46646 40f3e5 47098 414f65 167 API calls 46646->47098 46650 40ed16 46648->46650 46651 401e65 22 API calls 46650->46651 46652 40ed30 46651->46652 46653 401e65 22 API calls 46652->46653 46654 40ed49 46653->46654 46655 40edb6 46654->46655 46657 401e65 22 API calls 46654->46657 46656 40edc5 46655->46656 46663 40ef41 ___scrt_get_show_window_mode 46655->46663 46658 40edce 46656->46658 46686 40ee4a ___scrt_get_show_window_mode 46656->46686 46661 40ed5e _wcslen 46657->46661 46659 401e65 22 API calls 46658->46659 46660 40edd7 46659->46660 46662 401e65 22 API calls 46660->46662 46661->46655 46664 401e65 22 API calls 46661->46664 46665 40ede9 46662->46665 47058 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 46663->47058 46666 40ed79 46664->46666 46668 401e65 22 API calls 46665->46668 46669 401e65 22 API calls 46666->46669 46670 40edfb 46668->46670 46671 40ed8e 46669->46671 46673 401e65 22 API calls 46670->46673 47056 40da6f 31 API calls 46671->47056 46672 40ef8c 46674 401e65 22 API calls 46672->46674 46675 40ee24 46673->46675 46676 40efb1 46674->46676 46680 401e65 22 API calls 46675->46680 47059 402093 46676->47059 46678 40eda1 46679 401f13 28 API calls 46678->46679 46682 40edad 46679->46682 46684 40ee35 46680->46684 46683 401f09 11 API calls 46682->46683 46683->46655 47057 40ce34 45 API calls _wcslen 46684->47057 46685 40efc3 47065 4137aa RegCreateKeyA 46685->47065 46959 413982 46686->46959 46690 40eede ctype 46695 401e65 22 API calls 46690->46695 46691 40ee45 46691->46686 46693 401e65 22 API calls 46694 40efe5 46693->46694 47071 43bb2c 39 API calls _swprintf 46694->47071 46699 40eef5 46695->46699 46697 40eff2 46700 40f01f 46697->46700 47072 41ce2c 86 API calls ___scrt_get_show_window_mode 46697->47072 46699->46672 46701 401e65 22 API calls 46699->46701 46705 402093 28 API calls 46700->46705 46703 40ef12 46701->46703 46706 41bcef 28 API calls 46703->46706 46704 40f003 CreateThread 46704->46700 47422 41d4ee 10 API calls 46704->47422 46707 40f034 46705->46707 46708 40ef1e 46706->46708 46710 402093 28 API calls 46707->46710 46969 40f4af GetModuleFileNameW 46708->46969 46711 40f043 46710->46711 47073 41b580 79 API calls 46711->47073 46714 40f048 46715 401e65 22 API calls 46714->46715 46716 40f054 46715->46716 46717 401e65 22 API calls 46716->46717 46718 40f066 46717->46718 46719 401e65 22 API calls 46718->46719 46720 40f086 46719->46720 47074 43bb2c 39 API calls _swprintf 46720->47074 46722 40f093 46723 401e65 22 API calls 46722->46723 46724 40f09e 46723->46724 46725 401e65 22 API calls 46724->46725 46726 40f0af 46725->46726 46727 401e65 22 API calls 46726->46727 46728 40f0c4 46727->46728 46729 401e65 22 API calls 46728->46729 46730 40f0d5 46729->46730 46731 40f0dc StrToIntA 46730->46731 47075 409e1f 169 API calls _wcslen 46731->47075 46733 40f0ee 46734 401e65 22 API calls 46733->46734 46735 40f0f7 46734->46735 46736 40f13c 46735->46736 47076 43455e 46735->47076 46738 401e65 22 API calls 46736->46738 46743 40f14c 46738->46743 46740 401e65 22 API calls 46741 40f11f 46740->46741 46744 40f126 CreateThread 46741->46744 46742 40f194 46746 401e65 22 API calls 46742->46746 46743->46742 46745 43455e new 22 API calls 46743->46745 46744->46736 47426 41a045 102 API calls __EH_prolog 46744->47426 46747 40f161 46745->46747 46751 40f19d 46746->46751 46748 401e65 22 API calls 46747->46748 46749 40f173 46748->46749 46754 40f17a CreateThread 46749->46754 46750 40f207 46752 401e65 22 API calls 46750->46752 46751->46750 46753 401e65 22 API calls 46751->46753 46757 40f210 46752->46757 46755 40f1b9 46753->46755 46754->46742 47423 41a045 102 API calls __EH_prolog 46754->47423 46758 401e65 22 API calls 46755->46758 46756 40f255 47086 41b69e 79 API calls 46756->47086 46757->46756 46760 401e65 22 API calls 46757->46760 46761 40f1ce 46758->46761 46763 40f225 46760->46763 47083 40da23 31 API calls 46761->47083 46762 40f25e 46764 401f13 28 API calls 46762->46764 46768 401e65 22 API calls 46763->46768 46765 40f269 46764->46765 46767 401f09 11 API calls 46765->46767 46770 40f272 CreateThread 46767->46770 46771 40f23a 46768->46771 46769 40f1e1 46772 401f13 28 API calls 46769->46772 46775 40f293 CreateThread 46770->46775 46776 40f29f 46770->46776 47424 40f7e2 120 API calls 46770->47424 47084 43bb2c 39 API calls _swprintf 46771->47084 46774 40f1ed 46772->46774 46777 401f09 11 API calls 46774->46777 46775->46776 47425 412132 144 API calls 46775->47425 46778 40f2b4 46776->46778 46779 40f2a8 CreateThread 46776->46779 46781 40f1f6 CreateThread 46777->46781 46783 40f307 46778->46783 46785 402093 28 API calls 46778->46785 46779->46778 47427 412716 38 API calls ___scrt_get_show_window_mode 46779->47427 46781->46750 47428 401be9 49 API calls 46781->47428 46782 40f247 47085 40c19d 7 API calls 46782->47085 47088 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 46783->47088 46786 40f2d7 46785->46786 47087 4052fd 28 API calls 46786->47087 46790 40f31f 46790->46642 46792 41bcef 28 API calls 46790->46792 46794 40f338 46792->46794 47089 413656 RegOpenKeyExW 46794->47089 46800 401f09 11 API calls 46802 40f359 46800->46802 46801 40f381 DeleteFileW 46801->46618 46801->46802 46802->46618 46802->46801 46803 40f36f Sleep 46802->46803 46803->46802 46805 434a15 46804->46805 46805->46510 46806 4434bf 46805->46806 47430 44323c 46806->47430 46809->46492 46810->46496 46811->46499 46812->46500 46813->46512 46814->46498 46815->46518 46816->46520 46817->46523 46818->46521 46820 434bb8 GetStartupInfoW 46819->46820 46820->46529 46822 44f0eb 46821->46822 46823 44f0e2 46821->46823 46822->46532 46826 44efd8 48 API calls 4 library calls 46823->46826 46825->46532 46826->46822 46828 41cc20 LoadLibraryA GetProcAddress 46827->46828 46829 41cc10 GetModuleHandleA GetProcAddress 46827->46829 46830 41cc49 44 API calls 46828->46830 46831 41cc39 LoadLibraryA GetProcAddress 46828->46831 46829->46828 46830->46537 46831->46830 47099 41b539 FindResourceA 46832->47099 46836 40f428 ctype 47109 4020b7 46836->47109 46839 401fe2 28 API calls 46840 40f44e 46839->46840 46841 401fd8 11 API calls 46840->46841 46842 40f457 46841->46842 46843 43bda0 new 21 API calls 46842->46843 46844 40f468 ctype 46843->46844 47115 406e13 46844->47115 46846 40f49b 46846->46539 46848 40210c 46847->46848 46849 4023ce 11 API calls 46848->46849 46850 402126 46849->46850 46851 402569 28 API calls 46850->46851 46852 402134 46851->46852 46852->46542 47179 4020df 46853->47179 46855 41bebf 46859 41bf31 46855->46859 46867 401fe2 28 API calls 46855->46867 46870 401fd8 11 API calls 46855->46870 46874 41bf2f 46855->46874 47183 4041a2 28 API calls 46855->47183 47184 41cec5 46855->47184 46856 401fd8 11 API calls 46857 41bf61 46856->46857 46858 401fd8 11 API calls 46857->46858 46860 41bf69 46858->46860 47195 4041a2 28 API calls 46859->47195 46863 401fd8 11 API calls 46860->46863 46865 40ea5f 46863->46865 46864 41bf3d 46866 401fe2 28 API calls 46864->46866 46875 40fb52 46865->46875 46868 41bf46 46866->46868 46867->46855 46869 401fd8 11 API calls 46868->46869 46871 41bf4e 46869->46871 46870->46855 46872 41cec5 28 API calls 46871->46872 46872->46874 46874->46856 46876 40fb5e 46875->46876 46878 40fb65 46875->46878 47221 402163 11 API calls 46876->47221 46878->46547 46880 402163 46879->46880 46881 40219f 46880->46881 47222 402730 11 API calls 46880->47222 46881->46549 46883 402184 47223 402712 11 API calls std::_Deallocate 46883->47223 46886 401e6d 46885->46886 46887 401e75 46886->46887 47224 402158 22 API calls 46886->47224 46887->46554 46891 4020df 11 API calls 46890->46891 46892 40532a 46891->46892 47225 4032a0 46892->47225 46894 405346 46894->46563 47229 4051ef 46895->47229 46897 406391 47233 402055 46897->47233 46900 401fe2 46901 401ff1 46900->46901 46908 402039 46900->46908 46902 4023ce 11 API calls 46901->46902 46903 401ffa 46902->46903 46904 40203c 46903->46904 46905 402015 46903->46905 46906 40267a 11 API calls 46904->46906 47248 403098 28 API calls 46905->47248 46906->46908 46909 401fd8 46908->46909 46910 4023ce 11 API calls 46909->46910 46911 401fe1 46910->46911 46911->46575 46913 401fd2 46912->46913 46914 401fc9 46912->46914 46913->46581 47249 4025e0 28 API calls 46914->47249 46917 4135db 46916->46917 46918 4135ae RegQueryValueExA RegCloseKey 46916->46918 46917->46602 46918->46917 47250 401fab 46919->47250 46921 40d0ae CreateMutexA GetLastError 46921->46596 47251 41c048 46922->47251 46927 401fe2 28 API calls 46928 41b390 46927->46928 46929 401fd8 11 API calls 46928->46929 46930 41b398 46929->46930 46931 4135e1 31 API calls 46930->46931 46933 41b3ee 46930->46933 46932 41b3c1 46931->46932 46934 41b3cc StrToIntA 46932->46934 46933->46601 46935 41b3e3 46934->46935 46936 41b3da 46934->46936 46938 401fd8 11 API calls 46935->46938 47259 41cffa 22 API calls 46936->47259 46938->46933 46940 407765 46939->46940 46941 413584 3 API calls 46940->46941 46942 40776c 46941->46942 46942->46614 46942->46615 46944 41bd03 46943->46944 47260 40b93f 46944->47260 46946 41bd0b 46946->46630 46948 401f22 46947->46948 46949 401f6a 46947->46949 46950 402252 11 API calls 46948->46950 46956 401f09 46949->46956 46951 401f2b 46950->46951 46952 401f6d 46951->46952 46953 401f46 46951->46953 47293 402336 11 API calls 46952->47293 47292 40305c 28 API calls 46953->47292 46957 402252 11 API calls 46956->46957 46958 401f12 46957->46958 46958->46643 46960 4139a0 46959->46960 46961 406e13 28 API calls 46960->46961 46962 4139b5 46961->46962 46963 4020f6 28 API calls 46962->46963 46964 4139c5 46963->46964 46965 4137aa 14 API calls 46964->46965 46966 4139cf 46965->46966 46967 401fd8 11 API calls 46966->46967 46968 4139dc 46967->46968 46968->46690 46970 40f4e0 46969->46970 46971 40f669 46970->46971 47294 401f86 46970->47294 47313 41b71b 46971->47313 46976 40f586 Process32NextW 46978 40f59d CloseHandle 46976->46978 46994 40f518 46976->46994 46977 401f13 28 API calls 46979 40f67f 46977->46979 46981 40f5b2 46978->46981 46982 401f09 11 API calls 46979->46982 46984 40f5be 46981->46984 47023 40f660 46981->47023 46983 40f688 46982->46983 46987 40f6a3 CloseHandle 46983->46987 47021 40f611 46983->47021 46986 401f09 11 API calls 46984->46986 46985 401f09 11 API calls 46985->46971 46988 40f5c3 46986->46988 46989 4020df 11 API calls 46987->46989 46988->46987 46991 40f6b8 46989->46991 46990 401f09 11 API calls 46992 40ef23 46990->46992 47336 41c516 CreateFileW 46991->47336 46992->46571 46992->46672 46995 40f5c8 46994->46995 46996 401f09 11 API calls 46994->46996 47298 40417e 46994->47298 47304 41c26e OpenProcess 46995->47304 46996->46976 46997 40f6cd 47344 4185a3 46997->47344 47001 401f13 28 API calls 47002 40f5e2 47001->47002 47004 401f09 11 API calls 47002->47004 47003 40f6ed 47006 40f7a2 47003->47006 47007 40417e 28 API calls 47003->47007 47005 40f5eb 47004->47005 47011 40f5ff 47005->47011 47019 40f616 47005->47019 47347 4138b2 RegCreateKeyA 47006->47347 47008 40f707 47007->47008 47352 409196 28 API calls 47008->47352 47010 40f797 47014 401fd8 11 API calls 47010->47014 47013 401f09 11 API calls 47011->47013 47016 40f608 47013->47016 47014->47021 47015 40f724 47024 4185a3 31 API calls 47015->47024 47017 401f09 11 API calls 47016->47017 47017->47021 47018 40f657 47020 401f09 11 API calls 47018->47020 47019->47018 47350 41c076 OpenProcess 47019->47350 47020->47023 47021->46990 47023->46985 47026 40f735 47024->47026 47025 40f634 47025->47018 47027 40f638 47025->47027 47028 401f09 11 API calls 47026->47028 47351 40b9a7 28 API calls 47027->47351 47035 40f742 47028->47035 47030 40f649 47031 401f09 11 API calls 47030->47031 47033 40f652 47031->47033 47032 40f799 47034 401f09 11 API calls 47032->47034 47033->46978 47034->47006 47035->47032 47353 409196 28 API calls 47035->47353 47037 40f765 47038 4185a3 31 API calls 47037->47038 47039 40f776 47038->47039 47040 401f09 11 API calls 47039->47040 47041 40f783 47040->47041 47041->47032 47042 40f789 47041->47042 47043 40d0a4 2 API calls 47042->47043 47044 40f78e 47043->47044 47045 401f09 11 API calls 47044->47045 47045->47010 47046->46555 47047->46562 47048->46566 47050->46589 47051->46609 47052->46621 47053->46614 47054->46604 47055->46620 47056->46678 47057->46691 47058->46672 47060 40209b 47059->47060 47061 4023ce 11 API calls 47060->47061 47062 4020a6 47061->47062 47414 4024ed 47062->47414 47066 4137fa 47065->47066 47067 4137c3 47065->47067 47068 401fd8 11 API calls 47066->47068 47070 4137d5 RegSetValueExA RegCloseKey 47067->47070 47069 40efd9 47068->47069 47069->46693 47070->47066 47071->46697 47072->46704 47073->46714 47074->46722 47075->46733 47078 434563 47076->47078 47077 43bda0 new 21 API calls 47077->47078 47078->47077 47079 40f10c 47078->47079 47418 443001 7 API calls 2 library calls 47078->47418 47419 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47078->47419 47420 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47078->47420 47079->46740 47083->46769 47084->46782 47085->46756 47086->46762 47088->46790 47090 413682 RegQueryValueExW RegCloseKey 47089->47090 47091 4136af 47089->47091 47090->47091 47092 40417e 28 API calls 47091->47092 47093 40f34e 47092->47093 47093->46800 47094->46610 47096->46634 47097->46646 47421 41ada8 104 API calls 47098->47421 47100 41b556 LoadResource LockResource SizeofResource 47099->47100 47101 40f419 47099->47101 47100->47101 47102 43bda0 47101->47102 47107 4461b8 __Getctype 47102->47107 47103 4461f6 47119 44062d 20 API calls __dosmaperr 47103->47119 47105 4461e1 RtlAllocateHeap 47106 4461f4 47105->47106 47105->47107 47106->46836 47107->47103 47107->47105 47118 443001 7 API calls 2 library calls 47107->47118 47110 4020bf 47109->47110 47120 4023ce 47110->47120 47112 4020ca 47124 40250a 47112->47124 47114 4020d9 47114->46839 47116 4020b7 28 API calls 47115->47116 47117 406e27 47116->47117 47117->46846 47118->47107 47119->47106 47121 4023d8 47120->47121 47122 402428 47120->47122 47121->47122 47131 4027a7 47121->47131 47122->47112 47125 40251a 47124->47125 47126 402535 47125->47126 47128 402520 47125->47128 47152 4028e8 47126->47152 47142 402569 47128->47142 47130 402533 47130->47114 47132 402e21 47131->47132 47135 4016b4 47132->47135 47134 402e30 47134->47122 47136 4016cb 47135->47136 47137 4016c6 47135->47137 47136->47137 47138 4016f3 47136->47138 47141 43bd68 11 API calls _Atexit 47137->47141 47138->47134 47140 43bd67 47141->47140 47163 402888 47142->47163 47144 40257d 47145 402592 47144->47145 47146 4025a7 47144->47146 47168 402a34 22 API calls 47145->47168 47148 4028e8 28 API calls 47146->47148 47151 4025a5 47148->47151 47149 40259b 47169 4029da 22 API calls 47149->47169 47151->47130 47153 4028f1 47152->47153 47154 402953 47153->47154 47155 4028fb 47153->47155 47177 4028a4 22 API calls 47154->47177 47158 402904 47155->47158 47160 402917 47155->47160 47171 402cae 47158->47171 47161 402915 47160->47161 47162 4023ce 11 API calls 47160->47162 47161->47130 47162->47161 47164 402890 47163->47164 47165 402898 47164->47165 47170 402ca3 22 API calls 47164->47170 47165->47144 47168->47149 47169->47151 47172 402cb8 __EH_prolog 47171->47172 47178 402e54 22 API calls 47172->47178 47174 4023ce 11 API calls 47176 402d92 47174->47176 47175 402d24 47175->47174 47176->47161 47178->47175 47180 4020e7 47179->47180 47181 4023ce 11 API calls 47180->47181 47182 4020f2 47181->47182 47182->46855 47183->46855 47185 41ced2 47184->47185 47186 41cf31 47185->47186 47190 41cee2 47185->47190 47187 41cf4b 47186->47187 47188 41d071 28 API calls 47186->47188 47205 41d1d7 28 API calls 47187->47205 47188->47187 47191 41cf1a 47190->47191 47196 41d071 47190->47196 47204 41d1d7 28 API calls 47191->47204 47192 41cf2d 47192->46855 47195->46864 47198 41d079 47196->47198 47197 41d0ab 47197->47191 47198->47197 47199 41d0af 47198->47199 47202 41d093 47198->47202 47216 402725 22 API calls 47199->47216 47206 41d0e2 47202->47206 47204->47192 47205->47192 47207 41d0ec __EH_prolog 47206->47207 47217 402717 22 API calls 47207->47217 47209 41d0ff 47218 41d1ee 11 API calls 47209->47218 47211 41d125 47213 41d15d 47211->47213 47219 402730 11 API calls 47211->47219 47213->47197 47214 41d144 47220 402712 11 API calls std::_Deallocate 47214->47220 47217->47209 47218->47211 47219->47214 47220->47213 47221->46878 47222->46883 47223->46881 47226 4032aa 47225->47226 47227 4028e8 28 API calls 47226->47227 47228 4032c9 47226->47228 47227->47228 47228->46894 47230 4051fb 47229->47230 47239 405274 47230->47239 47232 405208 47232->46897 47234 402061 47233->47234 47235 4023ce 11 API calls 47234->47235 47236 40207b 47235->47236 47244 40267a 47236->47244 47240 405282 47239->47240 47243 4028a4 22 API calls 47240->47243 47245 40268b 47244->47245 47246 4023ce 11 API calls 47245->47246 47247 40208d 47246->47247 47247->46900 47248->46908 47249->46913 47252 41b362 47251->47252 47253 41c055 GetCurrentProcess 47251->47253 47254 4135e1 RegOpenKeyExA 47252->47254 47253->47252 47255 413639 47254->47255 47256 41360f RegQueryValueExA RegCloseKey 47254->47256 47257 402093 28 API calls 47255->47257 47256->47255 47258 41364e 47257->47258 47258->46927 47259->46935 47261 40b947 47260->47261 47266 402252 47261->47266 47263 40b952 47270 40b967 47263->47270 47265 40b961 47265->46946 47267 4022ac 47266->47267 47268 40225c 47266->47268 47267->47263 47268->47267 47277 402779 11 API calls std::_Deallocate 47268->47277 47271 40b9a1 47270->47271 47272 40b973 47270->47272 47289 4028a4 22 API calls 47271->47289 47278 4027e6 47272->47278 47276 40b97d 47276->47265 47277->47267 47279 4027ef 47278->47279 47280 402851 47279->47280 47281 4027f9 47279->47281 47291 4028a4 22 API calls 47280->47291 47284 402802 47281->47284 47285 402815 47281->47285 47290 402aea 28 API calls __EH_prolog 47284->47290 47286 402813 47285->47286 47288 402252 11 API calls 47285->47288 47286->47276 47288->47286 47290->47286 47292->46949 47293->46949 47295 401f8e 47294->47295 47296 402252 11 API calls 47295->47296 47297 401f99 CreateToolhelp32Snapshot Process32FirstW 47296->47297 47297->46976 47299 404186 47298->47299 47300 402252 11 API calls 47299->47300 47301 404191 47300->47301 47354 4041bc 47301->47354 47305 41c292 OpenProcess 47304->47305 47306 41c2ac K32GetProcessImageFileNameW 47304->47306 47305->47306 47307 41c2a5 47305->47307 47308 41c2c4 CloseHandle 47306->47308 47309 41c2cc CloseHandle 47306->47309 47311 40417e 28 API calls 47307->47311 47308->47307 47366 41c0ac lstrlenW 47309->47366 47312 40f5d8 47311->47312 47312->47001 47314 413656 31 API calls 47313->47314 47315 41b737 47314->47315 47383 445825 37 API calls 2 library calls 47315->47383 47317 41b746 47384 409049 28 API calls 47317->47384 47319 41b763 47320 401f13 28 API calls 47319->47320 47321 41b76b 47320->47321 47322 401f09 11 API calls 47321->47322 47323 41b773 47322->47323 47385 409097 28 API calls 47323->47385 47325 41b77e 47386 41bdd3 28 API calls 47325->47386 47327 41b787 47328 401f13 28 API calls 47327->47328 47329 41b792 47328->47329 47330 401f09 11 API calls 47329->47330 47331 41b79a 47330->47331 47332 41c048 GetCurrentProcess 47331->47332 47334 41b7d5 _wcslen 47332->47334 47333 40f672 47333->46977 47334->47333 47387 41cfd5 28 API calls 47334->47387 47337 41c540 GetFileSize 47336->47337 47338 41c53c 47336->47338 47388 40244e 47337->47388 47338->46997 47340 41c554 47341 41c566 ReadFile 47340->47341 47342 41c573 47341->47342 47343 41c575 CloseHandle 47341->47343 47342->47343 47343->47338 47393 41812a 47344->47393 47348 4138f4 47347->47348 47349 4138ca RegSetValueExA RegCloseKey 47347->47349 47348->47010 47349->47348 47350->47025 47351->47030 47352->47015 47353->47037 47355 4041c8 47354->47355 47358 4041d9 47355->47358 47357 40419c 47357->46994 47359 4041e9 47358->47359 47360 404206 47359->47360 47361 4041ef 47359->47361 47362 4027e6 28 API calls 47360->47362 47365 404267 28 API calls 47361->47365 47364 404204 47362->47364 47364->47357 47365->47364 47367 41c0d1 _memcmp 47366->47367 47372 41c108 ctype 47366->47372 47370 41c0f1 lstrlenW 47367->47370 47367->47372 47368 41c126 FindFirstVolumeW 47369 41c146 GetLastError 47368->47369 47373 41c153 _wcslen 47368->47373 47371 41c1f9 47369->47371 47370->47367 47370->47372 47371->47307 47372->47368 47374 41c1e3 47373->47374 47376 41c174 QueryDosDeviceW 47373->47376 47375 41c1e8 FindVolumeClose 47374->47375 47375->47371 47377 41c261 GetLastError 47376->47377 47378 41c19c lstrcmpW 47376->47378 47377->47375 47379 41c213 GetVolumePathNamesForVolumeNameW 47378->47379 47380 41c1af FindNextVolumeW 47378->47380 47379->47377 47382 41c23b lstrcatW lstrcpyW 47379->47382 47380->47373 47381 41c204 GetLastError 47380->47381 47381->47374 47381->47375 47382->47375 47383->47317 47384->47319 47385->47325 47386->47327 47387->47333 47389 402456 47388->47389 47390 402460 47389->47390 47392 402a51 28 API calls 47389->47392 47390->47340 47392->47390 47394 418157 8 API calls 47393->47394 47395 4181c4 ___scrt_get_show_window_mode 47394->47395 47413 41847b CloseHandle CloseHandle 47394->47413 47396 41822a CreateProcessW 47395->47396 47395->47413 47397 418260 VirtualAlloc Wow64GetThreadContext 47396->47397 47398 4184b5 GetLastError 47396->47398 47399 41847f VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 47397->47399 47400 41828e ReadProcessMemory 47397->47400 47398->47413 47399->47413 47400->47399 47401 4182b4 NtCreateSection 47400->47401 47401->47399 47402 4182dc 47401->47402 47403 4182eb NtUnmapViewOfSection 47402->47403 47404 4182fc NtMapViewOfSection 47402->47404 47403->47404 47405 418320 VirtualFree NtClose TerminateProcess 47404->47405 47406 418368 GetCurrentProcess NtMapViewOfSection 47404->47406 47405->47394 47407 418363 47405->47407 47406->47399 47408 418395 ctype 47406->47408 47407->47413 47409 418431 WriteProcessMemory 47408->47409 47410 418454 Wow64SetThreadContext 47408->47410 47409->47399 47411 418450 47409->47411 47410->47399 47412 41846d ResumeThread 47410->47412 47411->47410 47412->47399 47412->47413 47413->47003 47415 4024f9 47414->47415 47416 40250a 28 API calls 47415->47416 47417 4020b1 47416->47417 47417->46685 47418->47078 47429 412829 61 API calls 47425->47429 47431 443248 FindHandler 47430->47431 47432 443260 47431->47432 47433 443396 _Atexit GetModuleHandleW 47431->47433 47452 445909 EnterCriticalSection 47432->47452 47435 443254 47433->47435 47435->47432 47464 4433da GetModuleHandleExW 47435->47464 47439 443268 47442 4432dd 47439->47442 47449 443306 47439->47449 47472 443ff0 20 API calls _Atexit 47439->47472 47440 443323 47456 443355 47440->47456 47441 44334f 47475 4577a9 5 API calls ___crtLCMapStringA 47441->47475 47443 4432f5 47442->47443 47473 444276 5 API calls ___crtLCMapStringA 47442->47473 47474 444276 5 API calls ___crtLCMapStringA 47443->47474 47453 443346 47449->47453 47452->47439 47476 445951 LeaveCriticalSection 47453->47476 47455 44331f 47455->47440 47455->47441 47477 448d49 47456->47477 47459 443383 47462 4433da _Atexit 8 API calls 47459->47462 47460 443363 GetPEB 47460->47459 47461 443373 GetCurrentProcess TerminateProcess 47460->47461 47461->47459 47463 44338b ExitProcess 47462->47463 47465 443404 GetProcAddress 47464->47465 47466 443427 47464->47466 47469 443419 47465->47469 47467 443436 47466->47467 47468 44342d FreeLibrary 47466->47468 47470 43502b ___crtLCMapStringA 5 API calls 47467->47470 47468->47467 47469->47466 47471 443440 47470->47471 47471->47432 47472->47442 47473->47443 47474->47449 47476->47455 47478 448d64 47477->47478 47479 448d6e 47477->47479 47490 43502b 47478->47490 47483 44854a 47479->47483 47482 44335f 47482->47459 47482->47460 47484 44857a 47483->47484 47487 448576 47483->47487 47484->47478 47485 44859a 47485->47484 47488 4485a6 GetProcAddress 47485->47488 47487->47484 47487->47485 47497 4485e6 47487->47497 47489 4485b6 __crt_fast_encode_pointer 47488->47489 47489->47484 47491 435036 IsProcessorFeaturePresent 47490->47491 47492 435034 47490->47492 47494 435078 47491->47494 47492->47482 47504 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47494->47504 47496 43515b 47496->47482 47498 448607 LoadLibraryExW 47497->47498 47499 4485fc 47497->47499 47500 448624 GetLastError 47498->47500 47503 44863c 47498->47503 47499->47487 47501 44862f LoadLibraryExW 47500->47501 47500->47503 47501->47503 47502 448653 FreeLibrary 47502->47499 47503->47499 47503->47502 47504->47496 47505 40165e 47506 401666 47505->47506 47507 401669 47505->47507 47508 4016a8 47507->47508 47510 401696 47507->47510 47509 43455e new 22 API calls 47508->47509 47511 40169c 47509->47511 47512 43455e new 22 API calls 47510->47512 47512->47511

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                                                                                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                                                                                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                                                                                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                                                                                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                                                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                                                                                                                            • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                                                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                                                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                                                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                                                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                                            • API String ID: 4236061018-3687161714
                                                                                                                                                                            • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                                                                            • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                                                                                                                            • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                                                                            • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                                                                                                                            Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 452 4181d1-4181d8 450->452 453 4184bd-4184c7 451->453 452->451 454 4181de-4181e0 452->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc Wow64GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b Wow64SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 488 418450 484->488 485->464 489 41846d-418479 ResumeThread 485->489 488->485 489->464 493 41847b-41847d 489->493 491->478 493->453
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                                                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 004182A6
                                                                                                                                                                            • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                                                                                                                            • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                                                                                                                            • NtClose.NTDLL(?), ref: 00418332
                                                                                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00418446
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                                                                                                            • ResumeThread.KERNELBASE(?), ref: 00418470
                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                                                                                                                            • NtClose.NTDLL(?), ref: 004184A3
                                                                                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004184B5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                                                                                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                                            • API String ID: 3150337530-3035715614
                                                                                                                                                                            • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                                                                                                                                            • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                                                                                                                            • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                                                                                                                                            • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                                                                                                                            Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 542 40f4af-40f4e2 GetModuleFileNameW call 407801 545 40f4e8-40f516 call 401f86 CreateToolhelp32Snapshot Process32FirstW 542->545 546 40f669-40f66d call 41b71b 542->546 551 40f586-40f597 Process32NextW 545->551 550 40f672-40f69d call 401f13 call 401f09 call 411190 546->550 570 40f6a3-40f6f3 CloseHandle call 4020df call 401f04 call 41c516 call 401fab call 401f04 call 4185a3 550->570 571 40f7c9-40f7e1 call 401f09 550->571 553 40f518-40f57b call 40417e call 402305 call 4022ca call 402305 call 409c16 call 40ba07 551->553 554 40f59d-40f5b8 CloseHandle call 407801 551->554 590 40f5c8-40f5d3 call 41c26e 553->590 591 40f57d-40f581 call 401f09 553->591 563 40f664 call 401f09 554->563 564 40f5be-40f5c3 call 401f09 554->564 563->546 564->570 602 40f7a2-40f7b5 call 401fab call 4138b2 570->602 603 40f6f9-40f746 call 40417e call 401fab call 409196 call 401f04 call 4185a3 call 401f09 570->603 597 40f5d8-40f5fd call 401f13 call 401f09 call 407801 590->597 591->551 616 40f616-40f626 call 407801 597->616 617 40f5ff-40f611 call 401f09 * 2 597->617 614 40f7ba-40f7bf 602->614 644 40f748-40f787 call 401fab call 409196 call 401f04 call 4185a3 call 401f09 603->644 645 40f799-40f79d call 401f09 603->645 618 40f7c0-40f7c4 call 401fd8 614->618 628 40f657-40f660 call 401f09 616->628 629 40f628-40f636 call 41c076 616->629 617->571 618->571 628->563 629->628 638 40f638-40f652 call 40b9a7 call 401f09 629->638 638->554 644->645 658 40f789-40f797 call 40d0a4 call 401f09 644->658 645->602 658->618
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                                                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                                                                                                                                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                                                                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                                                                                                            • API String ID: 3756808967-1743721670
                                                                                                                                                                            • Opcode ID: da443440b28f1eae5c7b0155bbdce7f5ca32cb0f0e1642a96bb257d71490179a
                                                                                                                                                                            • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                                                                                                                            • Opcode Fuzzy Hash: da443440b28f1eae5c7b0155bbdce7f5ca32cb0f0e1642a96bb257d71490179a
                                                                                                                                                                            • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                                                                                                            Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 752 443355-443361 call 448d49 755 443383-44338f call 4433da ExitProcess 752->755 756 443363-443371 GetPEB 752->756 756->755 757 443373-44337d GetCurrentProcess TerminateProcess 756->757 757->755
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0044338F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 1703294689-263838557
                                                                                                                                                                            • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                                                            • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                                                                                                            • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                                                            • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                                                                                                            Function 0040EA00 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 79 40ec06-40ec1c call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 95 40ec21-40ec25 79->95 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 95->80 98 40ec27-40ec3d call 401fab call 4139e4 95->98 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 121 40ec87-40ec9a call 401e65 call 401fab 118->121 122 40ec7d-40ec82 call 407773 call 40729b 118->122 121->108 141 40ec9c-40eca2 121->141 122->121 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 183->193 210 40ee8c 193->210 211 40ee7f-40ee8a call 436f10 193->211 203->178 217 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 210->217 211->217 217->234 288 40ef09-40ef1e call 401e65 call 41bcef call 40f4af 217->288 286 40f017-40f019 234->286 287 40effc 234->287 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 304 40ef23-40ef28 288->304 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 304->234 306 40ef2a 304->306 306->92 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 356 40f194-40f1a7 call 401e65 call 401fab 347->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 415 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->415 416 40f2c2-40f2c7 413->416 417 40f307-40f322 call 401fab call 41353a 413->417 415->417 416->415 417->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 417->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                                                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                                                                                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe,00000104), ref: 0040EA29
                                                                                                                                                                              • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                                            • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                                                                                                                            • API String ID: 2830904901-2220616537
                                                                                                                                                                            • Opcode ID: 18716b9a1f5ab38af75444c8baf80b949ed4f29a9b27fc25d1d1050251cb5535
                                                                                                                                                                            • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                                                                                                                            • Opcode Fuzzy Hash: 18716b9a1f5ab38af75444c8baf80b949ed4f29a9b27fc25d1d1050251cb5535
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                                                                                                                            Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 494 41c0ac-41c0cf lstrlenW 495 41c0d1-41c0d3 494->495 496 41c10a-41c140 call 436990 FindFirstVolumeW 494->496 497 41c0d7-41c0e9 call 43706a 495->497 502 41c1c7-41c1dd call 43bb56 496->502 503 41c146-41c14e GetLastError 496->503 504 41c0f1-41c100 lstrlenW 497->504 505 41c0eb-41c0ef 497->505 511 41c153-41c158 502->511 512 41c1e3 502->512 507 41c1f9-41c203 503->507 504->496 510 41c102-41c106 504->510 505->504 508 41c108 505->508 508->496 510->497 511->512 514 41c15e-41c164 511->514 513 41c1e8-41c1f6 FindVolumeClose 512->513 513->507 514->512 515 41c166-41c16b 514->515 515->512 516 41c16d-41c172 515->516 516->512 517 41c174-41c196 QueryDosDeviceW 516->517 518 41c261-41c269 GetLastError 517->518 519 41c19c-41c1ad lstrcmpW 517->519 518->513 520 41c213-41c239 GetVolumePathNamesForVolumeNameW 519->520 521 41c1af-41c1c5 FindNextVolumeW 519->521 520->518 523 41c23b-41c25f lstrcatW lstrcpyW 520->523 521->502 522 41c204-41c20f GetLastError 521->522 522->513 524 41c211 522->524 523->513 524->512
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                                                                                                            • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                                                                                                            • FindFirstVolumeW.KERNELBASE(?,00000104,?), ref: 0041C133
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                                                                                                            • lstrcmpW.KERNELBASE(?,?), ref: 0041C1A5
                                                                                                                                                                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0041C1CC
                                                                                                                                                                            • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041C204
                                                                                                                                                                            • GetVolumePathNamesForVolumeNameW.KERNELBASE(?,?,?,?), ref: 0041C231
                                                                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041C261
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                                            • String ID: ?
                                                                                                                                                                            • API String ID: 3941738427-1684325040
                                                                                                                                                                            • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                                                                                                                            • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                                                                                                            • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                                                                                                                            • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                                                                                                            Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 00404E43
                                                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 00404E4C
                                                                                                                                                                            • closesocket.WS2_32(?), ref: 00404E5A
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 00404EA2
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 00404EBA
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 00404ED1
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 3658366068-263838557
                                                                                                                                                                            • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                                                                                                                                            • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                                                                                                            • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                                                                                                                                            • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                                                                                                            Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00413656: RegOpenKeyExW.KERNELBASE(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                                                                                                                              • Part of subcall function 00413656: RegQueryValueExW.KERNELBASE(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                                                                              • Part of subcall function 00413656: RegCloseKey.KERNELBASE(?), ref: 004136A0
                                                                                                                                                                              • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0041B7F4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                                                                                            • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                                                            • API String ID: 37874593-122982132
                                                                                                                                                                            • Opcode ID: 18828d22db6dc901264db0d68ca479bae690019708f44dbb349cd718a6751edd
                                                                                                                                                                            • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                                                                                                            • Opcode Fuzzy Hash: 18828d22db6dc901264db0d68ca479bae690019708f44dbb349cd718a6751edd
                                                                                                                                                                            • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                                                                                                            Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                                              • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                                              • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                                                                              • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                                                                                                                                            • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                                                                                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                            • API String ID: 1866151309-2070987746
                                                                                                                                                                            • Opcode ID: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                                                                                                                                            • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                                                                                                                            • Opcode Fuzzy Hash: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                                                                                                                            Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 731 41c26e-41c290 OpenProcess 732 41c292-41c2a3 OpenProcess 731->732 733 41c2ac-41c2c2 K32GetProcessImageFileNameW 731->733 732->733 734 41c2a5-41c2aa 732->734 735 41c2c4-41c2ca CloseHandle 733->735 736 41c2cc-41c2d8 CloseHandle call 41c0ac 733->736 737 41c2e4-41c2f3 call 40417e 734->737 735->734 740 41c2dd-41c2e3 736->740 740->737
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                            • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2951400881-0
                                                                                                                                                                            • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                                                                                                                                            • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                                                                                                                            • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                                                                                                                                            • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                                                                                                                            Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 742 4137aa-4137c1 RegCreateKeyA 743 4137c3-4137f8 call 40247c call 401fab RegSetValueExA RegCloseKey 742->743 744 4137fa 742->744 746 4137fc-41380a call 401fd8 743->746 744->746
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                                                                                                                            • RegSetValueExA.KERNELBASE(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                                                                                                                                            • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateValue
                                                                                                                                                                            • String ID: Control Panel\Desktop
                                                                                                                                                                            • API String ID: 1818849710-27424756
                                                                                                                                                                            • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                                                                                                                                            • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                                                                                                            • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                                                                                                                                            • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                                                                                                            Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 760 4485e6-4485fa 761 448607-448622 LoadLibraryExW 760->761 762 4485fc-448605 760->762 764 448624-44862d GetLastError 761->764 765 44864b-448651 761->765 763 44865e-448660 762->763 766 44863c 764->766 767 44862f-44863a LoadLibraryExW 764->767 768 448653-448654 FreeLibrary 765->768 769 44865a 765->769 770 44863e-448640 766->770 767->770 768->769 771 44865c-44865d 769->771 770->765 772 448642-448649 770->772 771->763 772->771
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                                                                                                            • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3177248105-0
                                                                                                                                                                            • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                                                            • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                                                                                                            • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                                                            • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                                                                                                            Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 773 41c516-41c53a CreateFileW 774 41c540-41c571 GetFileSize call 40244e call 401fab ReadFile 773->774 775 41c53c-41c53e 773->775 781 41c573 774->781 782 41c575-41c57c CloseHandle 774->782 776 41c57e-41c582 775->776 781->782 782->776
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                                                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3919263394-0
                                                                                                                                                                            • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                                                                                                                                            • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                                                                                                            • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                                                                                                                                            • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                                                                                                            Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 783 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateErrorLastMutex
                                                                                                                                                                            • String ID: SG
                                                                                                                                                                            • API String ID: 1925916568-3189917014
                                                                                                                                                                            • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                                                                                                                                            • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                                                                                                                            • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                                                                                                                                            • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                                                                                                                            Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 786 4135e1-41360d RegOpenKeyExA 787 413642 786->787 788 41360f-413637 RegQueryValueExA RegCloseKey 786->788 789 413644 787->789 788->789 790 413639-413640 788->790 791 413649-413655 call 402093 789->791 790->791
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                                                            • Opcode ID: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                                                                                                                                            • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                                                                                                            • Opcode Fuzzy Hash: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                                                                                                                                            • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                                                                                                            Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                                                            • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                                            • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                                                                                                            • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                                            • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                                                                                                            Function 00413656 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                                                                                                                            • RegQueryValueExW.KERNELBASE(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004136A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                                                            • Opcode ID: 65d225e62495b603b94ecda2ada9fe67bc436a3b870d946b60a27cc720c1bdd3
                                                                                                                                                                            • Instruction ID: b2ddc0a972744091932d43abea1e646d3cdf78111d27e2b843060007377f7c4f
                                                                                                                                                                            • Opcode Fuzzy Hash: 65d225e62495b603b94ecda2ada9fe67bc436a3b870d946b60a27cc720c1bdd3
                                                                                                                                                                            • Instruction Fuzzy Hash: B7F04F75600218FBDF209B90DC05FDD7B7CEB04B15F1040A2BA45B5291DB749F949BA8
                                                                                                                                                                            Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                                            • RegSetValueExA.KERNELBASE(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                                                                            • RegCloseKey.KERNELBASE(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1818849710-0
                                                                                                                                                                            • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                                            • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                                                                                                            • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                                            • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                                                                                                            Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004485AA
                                                                                                                                                                            • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2279764990-0
                                                                                                                                                                            • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                                                            • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                                                                                                                                            • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                                                                                                                                            Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                                                            • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                                                                                                            • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                                                            • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                                                                                                            Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                            • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                                                            • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                                                                                                            • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                                                            • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                                                                                                            Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Deallocatestd::_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1323251999-0
                                                                                                                                                                            • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                            • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                                                                                                            • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                            • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                                                                                              • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                                                                                                                                              • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                                                                                                                                              • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                                                                                                                                              • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                                                                                                                                              • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                                                                                                                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                                                                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                                                                                              • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                                                              • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                                                              • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                                                              • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                                                                                                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                                                                                                                              • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                                                                            • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                                                                                                                            • API String ID: 1067849700-181434739
                                                                                                                                                                            • Opcode ID: f0bb3cb5b26e90024f3fd42e5bc2004f602a4fcf380aa8fd0aaf15a6088bcc68
                                                                                                                                                                            • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                                                                                                                            • Opcode Fuzzy Hash: f0bb3cb5b26e90024f3fd42e5bc2004f602a4fcf380aa8fd0aaf15a6088bcc68
                                                                                                                                                                            • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                                                                                                                            Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                                                                                            • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                                                                                                                            • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                                                                                                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                                                                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                                                                                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                                                                                                                                            • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                                            • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                                                                                                            • API String ID: 2994406822-18413064
                                                                                                                                                                            • Opcode ID: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                                                                                                                                            • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                                                                                                                            • Opcode Fuzzy Hash: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                                                                                                                                            • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                                                                                                                            Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                                                                                              • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                                              • Part of subcall function 004138B2: RegSetValueExA.KERNELBASE(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                                                                              • Part of subcall function 004138B2: RegCloseKey.KERNELBASE(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                                                                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                                                                            • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                                                                                            • API String ID: 3018269243-13974260
                                                                                                                                                                            • Opcode ID: 992cc6f92d6e85284a8e701518c9770b8fd1494ee384fb4326f65339fdeae364
                                                                                                                                                                            • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                                                                                                                            • Opcode Fuzzy Hash: 992cc6f92d6e85284a8e701518c9770b8fd1494ee384fb4326f65339fdeae364
                                                                                                                                                                            • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                                                                                                                            Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                                                            • API String ID: 1164774033-3681987949
                                                                                                                                                                            • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                                                                                                                                            • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                                                                                                            • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                                                                                                                                            • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                                                                                                            Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenClipboard.USER32 ref: 004168FD
                                                                                                                                                                            • EmptyClipboard.USER32 ref: 0041690B
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                                                                                                            • CloseClipboard.USER32 ref: 00416990
                                                                                                                                                                            • OpenClipboard.USER32 ref: 00416997
                                                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                                                            • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                                                            • String ID: !D@
                                                                                                                                                                            • API String ID: 3520204547-604454484
                                                                                                                                                                            • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                                                                                                                                            • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                                                                                                                            • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                                                                                                                                            • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                                                                                                            Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$Close$File$FirstNext
                                                                                                                                                                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                            • API String ID: 3527384056-432212279
                                                                                                                                                                            • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                                                                                                                                            • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                                                                                                            • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                                                                                                                                            • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                                                                                                            Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                                                                                                            • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                                                                                                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                                                            • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                                                                                                                                            • API String ID: 489098229-1431523004
                                                                                                                                                                            • Opcode ID: 95e2b2175dcad42d57fc42b688d4a52931778c628c4b554f4f231ba9717664a4
                                                                                                                                                                            • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                                                                                                                            • Opcode Fuzzy Hash: 95e2b2175dcad42d57fc42b688d4a52931778c628c4b554f4f231ba9717664a4
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                                                                                                                            Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0$1$2$3$4$5$6$7$VG
                                                                                                                                                                            • API String ID: 0-1861860590
                                                                                                                                                                            • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                                                                                                                                            • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                                                                                                                            • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                                                                                                                                            • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                                                                                                            Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0040755C
                                                                                                                                                                            • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Object_wcslen
                                                                                                                                                                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                                            • API String ID: 240030777-3166923314
                                                                                                                                                                            • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                                                                                                                                            • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                                                                                                            • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                                                                                                            Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041A84C
                                                                                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3587775597-0
                                                                                                                                                                            • Opcode ID: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                                                                                                                                            • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                                                                                                            • Opcode Fuzzy Hash: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                                                                                                                                            • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                                                                                                            Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                            • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                            • API String ID: 1164774033-405221262
                                                                                                                                                                            • Opcode ID: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                                                                                                                                            • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                                                                                                            • Opcode Fuzzy Hash: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                                                                                                                                            • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                                                                                                            Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                                                                                                                                                              • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2341273852-0
                                                                                                                                                                            • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                                                                                                                                            • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                                                                                                            • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                                                                                                                                            • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                                                                                                            Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                                                                                              • Part of subcall function 0041C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Find$CreateFirstNext
                                                                                                                                                                            • String ID: 8SG$PXG$PXG$NG$PG
                                                                                                                                                                            • API String ID: 341183262-3812160132
                                                                                                                                                                            • Opcode ID: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                                                                                                                                            • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                                                                                                                            • Opcode Fuzzy Hash: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                                                                                                                                            • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                                                                                            Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                                                                                                            • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040A328
                                                                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 0040A385
                                                                                                                                                                            • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                                                                                                            Strings
                                                                                                                                                                            • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                                            • String ID: Keylogger initialization failure: error
                                                                                                                                                                            • API String ID: 3219506041-952744263
                                                                                                                                                                            • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                                                                                                                                            • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                                                                                                                            • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                                                                                                                            Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 0040A451
                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                                                                            • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                                                                                            • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                                                                                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                                                                                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                                                                                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1888522110-0
                                                                                                                                                                            • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                                                                                                                                            • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                                                                                                                            • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                                                                                                                                            • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                                                                                                                            Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                                                            • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                                                            • API String ID: 2127411465-314212984
                                                                                                                                                                            • Opcode ID: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                                                                                                                                            • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                                                                                                                            • Opcode Fuzzy Hash: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                                                                                                                                            • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                                                                                                                            Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                                                              • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                                                              • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                                                              • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                                                              • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                                                            • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                                                                                                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                                            • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                                                                                                            • API String ID: 1589313981-2876530381
                                                                                                                                                                            • Opcode ID: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                                                                                                                                            • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                                                                                                            • Opcode Fuzzy Hash: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                                                                                                                                            • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                                                                                                            Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                                                                                                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                                                                                                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                                                                                                            Strings
                                                                                                                                                                            • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                                            • String ID: http://geoplugin.net/json.gp
                                                                                                                                                                            • API String ID: 3121278467-91888290
                                                                                                                                                                            • Opcode ID: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                                                                                                                                            • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                                                                                                            • Opcode Fuzzy Hash: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                                                                                                                                            • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                                                                                                            Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040BA93
                                                                                                                                                                            Strings
                                                                                                                                                                            • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                                                                                                            • UserProfile, xrefs: 0040BA59
                                                                                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                                                                                                            • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                                                                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                                                            • API String ID: 2018770650-1062637481
                                                                                                                                                                            • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                                                                                                                                            • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                                                                                                            • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                                                                                                                                            • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                                                                                                            Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                                                                            • API String ID: 3534403312-3733053543
                                                                                                                                                                            • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                                                            • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                                                                                                            • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                                                            • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                                                                                                            Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00409293
                                                                                                                                                                              • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                                                                                              • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                                                                                                                                              • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                                                                                                                                                              • Part of subcall function 00404E26: CloseHandle.KERNELBASE(?), ref: 00404E4C
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                                                                                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                                                                                                                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1824512719-0
                                                                                                                                                                            • Opcode ID: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                                                                                                                                            • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                                                                                                                            • Opcode Fuzzy Hash: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                                                                                                                                            • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                                                                                                            Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: FSE$FSE$PkGNG
                                                                                                                                                                            • API String ID: 0-1266307253
                                                                                                                                                                            • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                                                                            • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                                                                                                                                            • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                                                                            • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                                                                                                                                            Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                                                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 276877138-0
                                                                                                                                                                            • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                                                                                                                                            • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                                                                                                            • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                                                                                                                                            • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                                                                                                            Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00413584: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                                                                                                                                              • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                                                                                                                                              • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040F905
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                                            • String ID: 5.1.3 Pro$override$pth_unenc
                                                                                                                                                                            • API String ID: 2281282204-1392497409
                                                                                                                                                                            • Opcode ID: b03823e6d7a1939832695edbca538e9326227c7cb22747d0e4ffc58481ea478f
                                                                                                                                                                            • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                                                                                                                            • Opcode Fuzzy Hash: b03823e6d7a1939832695edbca538e9326227c7cb22747d0e4ffc58481ea478f
                                                                                                                                                                            • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                                                                                                                            Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                                                                                                                                                            • GetACP.KERNEL32 ref: 00452593
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                                                            • API String ID: 2299586839-711371036
                                                                                                                                                                            • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                                                            • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                                                                                                            • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                                                            • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                                                                                                            Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                                                                                                                            • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                                                                                                            • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                                                                                                            • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                            • String ID: SETTINGS
                                                                                                                                                                            • API String ID: 3473537107-594951305
                                                                                                                                                                            • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                                                                            • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                                                                                                                            • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                                                                            • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                                                                                                                            Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 004096A5
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                                                                                                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1157919129-0
                                                                                                                                                                            • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                                                                                                                                            • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                                                                                                                            • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                                                                                                                                            • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                                                                                                            Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                                                                                                                                            • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 745075371-0
                                                                                                                                                                            • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                                                            • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                                                                                                            • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                                                                                                            Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1771804793-0
                                                                                                                                                                            • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                                                                                                                                            • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                                                                                                                            • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                                                                                                                                            • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                                                                                                                            Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                                                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DownloadExecuteFileShell
                                                                                                                                                                            • String ID: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe$open
                                                                                                                                                                            • API String ID: 2825088817-2588547538
                                                                                                                                                                            • Opcode ID: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                                                                                                                                                            • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                                                                                                                            • Opcode Fuzzy Hash: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                                                                                                                                                            • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                                                                                                                            Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$FirstNextsend
                                                                                                                                                                            • String ID: XPG$XPG
                                                                                                                                                                            • API String ID: 4113138495-1962359302
                                                                                                                                                                            • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                                                                                                                                            • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                                                                                                                            • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                                                                                                                            Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                                              • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                                                                                                                              • Part of subcall function 004137AA: RegSetValueExA.KERNELBASE(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                                                                                                                                              • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                            • API String ID: 4127273184-3576401099
                                                                                                                                                                            • Opcode ID: 151fde30394074386c3475a809e11d1a6336c1573d3ef2cd27d1ca554eb4e09d
                                                                                                                                                                            • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                                                                                                            • Opcode Fuzzy Hash: 151fde30394074386c3475a809e11d1a6336c1573d3ef2cd27d1ca554eb4e09d
                                                                                                                                                                            • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                                                                                                            Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                                              • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                                                                                                                              • Part of subcall function 004137AA: RegSetValueExA.KERNELBASE(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                                                                                                                                              • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                            • API String ID: 4127273184-3576401099
                                                                                                                                                                            • Opcode ID: 4d6389c29deabeee51a67b5fadf45e106198a50391e212cd7c27e14953ae43fd
                                                                                                                                                                            • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d6389c29deabeee51a67b5fadf45e106198a50391e212cd7c27e14953ae43fd
                                                                                                                                                                            • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                                                                                                                                                            Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4212172061-0
                                                                                                                                                                            • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                                                                                            • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                                                                                                            • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                                                                                            • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                                                                                                            Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 0044943D
                                                                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 806657224-0
                                                                                                                                                                            • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                                                                                            • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                                                                                                                                                            • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                                                                                                                                                            Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2829624132-0
                                                                                                                                                                            • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                                                                                            • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                                                                                            • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                                                                                                            Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                                            • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                                                            • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                                                                                                            • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                                                            • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                                                                                                            Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                                                                                                                                                            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                                                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1815803762-0
                                                                                                                                                                            • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                                            • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                                                                                                            • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                                            • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                                                                                                            Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                                                                                                                            • CloseClipboard.USER32 ref: 0040B760
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Clipboard$CloseDataOpen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2058664381-0
                                                                                                                                                                            • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                                                                                                                                            • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                                                                                                            • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                                                                                                                                            • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                                                                                                            Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2325560087-3916222277
                                                                                                                                                                            • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                                                            • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                                                                                                            • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                                                            • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                                                                                                            Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                            • String ID: GetLocaleInfoEx
                                                                                                                                                                            • API String ID: 2299586839-2904428671
                                                                                                                                                                            • Opcode ID: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                                                                                                                                                            • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                                                                                                            • Opcode Fuzzy Hash: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                                                                                                                                                            • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                                                                                                            Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                                                                                                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                            • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                                                                                                                                            • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                                                                                                                                            • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                                                                                                                                            • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                                                                                                                                            Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1663032902-0
                                                                                                                                                                            • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                                                            • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                                                                                                            • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                                                            • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                                                                                                            Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1084509184-0
                                                                                                                                                                            • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                                                                                            • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                                                                                                            • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                                                                                            • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                                                                                                            Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2692324296-0
                                                                                                                                                                            • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                                                                                            • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                                                                                                            • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                                                                                            • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                                                                                                            Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1084509184-0
                                                                                                                                                                            • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                                                                                            • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                                                                                                            • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                                                                                            • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                                                                                                            Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NameUser
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2645101109-0
                                                                                                                                                                            • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                                                                                                                                            • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                                                                                                                            • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                                                                                                                                            • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                                                                                                                            Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1272433827-0
                                                                                                                                                                            • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                                                            • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                                                                                                            • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                                                            • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                                                                                                            Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1084509184-0
                                                                                                                                                                            • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                                                            • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                                                                                                            • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                                                            • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                                                                                                            Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                                                            • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                                                                                                                                            • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                                                                                            • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                                                                                                                                            • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                                                                                            Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                            • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                                                            • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                                                                                                            • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                            Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                                                                                              • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                                                                                                            • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00419027
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00419034
                                                                                                                                                                            • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                                                                                                                            • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                                                                                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                                                                                                            • DeleteDC.GDI32(?), ref: 004191B7
                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                                                                                                            • DeleteDC.GDI32(?), ref: 00419293
                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                                                                                                                            • String ID: DISPLAY
                                                                                                                                                                            • API String ID: 479521175-865373369
                                                                                                                                                                            • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                                                                                                                                            • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                                                                                                                            • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                                                                                                                                            • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                                                                                                            Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                                                                                                                              • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                                                                                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                                                                                                                              • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                                                                                                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                                                                                                                              • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                            • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                                                                            • API String ID: 1861856835-1447701601
                                                                                                                                                                            • Opcode ID: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                                                                                                                                            • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                                                                                                                            • Opcode Fuzzy Hash: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                                                                                                                                            • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                                                                                                                            Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                                                                                                                              • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                                                                                                                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                                                                                                                              • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                                                                                                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                                                                                                                              • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040D454
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                            • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                                                                                                                                            • API String ID: 3797177996-2483056239
                                                                                                                                                                            • Opcode ID: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                                                                                                                                            • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                                                                                                                            • Opcode Fuzzy Hash: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                                                                                                                                            • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                                                                                                                            Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                                                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                                                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                                                                                                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                                                                                                            • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                                                                                              • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                                                                            • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                                                                                                                                            • API String ID: 2649220323-436679193
                                                                                                                                                                            • Opcode ID: 644260e79740abdb38bbef940962979a92695f68f317ec5f9d18976e4df820c3
                                                                                                                                                                            • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                                                                                                                            • Opcode Fuzzy Hash: 644260e79740abdb38bbef940962979a92695f68f317ec5f9d18976e4df820c3
                                                                                                                                                                            • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                                                                                                                            Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                                                                                                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                                                                                                                                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                                                                                                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                                                                                                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                                                                                                            • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                                                                                                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                                                                                                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                                                                                                            • API String ID: 738084811-2094122233
                                                                                                                                                                            • Opcode ID: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                                                                                                                                                            • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                                                                                                                            • Opcode Fuzzy Hash: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                                                                                                                                                            • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                                                                                                                            Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Write$Create
                                                                                                                                                                            • String ID: RIFF$WAVE$data$fmt
                                                                                                                                                                            • API String ID: 1602526932-4212202414
                                                                                                                                                                            • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                                                                            • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                                                                                                                            • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                                                                            • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                                                                                                                            Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe,00000001,00407688,C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                            • String ID: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                                            • API String ID: 1646373207-1262342969
                                                                                                                                                                            • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                                                                            • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                                                                                                                            • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                                                                                                                            Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0040CE42
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0040CF21
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe,00000000,00000000), ref: 0040CFBF
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0040D001
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                                                            • String ID: 6$C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe$del$open
                                                                                                                                                                            • API String ID: 1579085052-3814647034
                                                                                                                                                                            • Opcode ID: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                                                                                                                                                            • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                                                                                                                            • Opcode Fuzzy Hash: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                                                                                                                                                            • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                                                                                                                            Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                                                            • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                                                            • API String ID: 2490988753-3346362794
                                                                                                                                                                            • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                                                                            • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                                                                                                                            • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                                                                            • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                                                                                                                            Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899193279-0
                                                                                                                                                                            • Opcode ID: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                                                                                                            • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                                                                                                            • Opcode Fuzzy Hash: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                                                                                                            • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                                                                                                            Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                                                                                              • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                                                                                                                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                                                                                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                                                                                            • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                                                                                                            • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                                                                                                            • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                                                                                                            • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                                                            • String ID: /stext "$0TG$0TG$NG$NG
                                                                                                                                                                            • API String ID: 1223786279-2576077980
                                                                                                                                                                            • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                                                                                                                                            • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                                                                                                                            • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                                                                                                                            Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                                                                                                            • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                                                                                                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                                                                                                            • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                                                            • String ID: Close
                                                                                                                                                                            • API String ID: 1657328048-3535843008
                                                                                                                                                                            • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                                                                            • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                                                                                                                            • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                                                                                                                            Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$Info
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2509303402-0
                                                                                                                                                                            • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                                                                                                                                            • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                                                                                                            • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                                                                                                                                            • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                                                                                                            Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                                                                                                                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                                                                                                            • __aulldiv.LIBCMT ref: 00408D88
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                                                                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                                                                                                                            • API String ID: 3086580692-2582957567
                                                                                                                                                                            • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                                                                                                                                            • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                                                                                                                            • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                                                                                                                                            • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                                                                                                                            Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                                                                                                              • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                                                                                              • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                                                              • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                                                              • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                                                                                                                              • Part of subcall function 0041C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                                                            • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                                                                                                                                            • API String ID: 3795512280-1152054767
                                                                                                                                                                            • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                                                                                                                                            • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                                                                                                                            • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                                                                                                                                            • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                                                                                                                            Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                                                                                            • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                                            • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                                            • API String ID: 994465650-3229884001
                                                                                                                                                                            • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                                                                                                                                            • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                                                                                                                            • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                                                                                                                                            • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                                                                                                            Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                                                                                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                                                                                            • _free.LIBCMT ref: 0045137F
                                                                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                            • _free.LIBCMT ref: 004513A1
                                                                                                                                                                            • _free.LIBCMT ref: 004513B6
                                                                                                                                                                            • _free.LIBCMT ref: 004513C1
                                                                                                                                                                            • _free.LIBCMT ref: 004513E3
                                                                                                                                                                            • _free.LIBCMT ref: 004513F6
                                                                                                                                                                            • _free.LIBCMT ref: 00451404
                                                                                                                                                                            • _free.LIBCMT ref: 0045140F
                                                                                                                                                                            • _free.LIBCMT ref: 00451447
                                                                                                                                                                            • _free.LIBCMT ref: 0045144E
                                                                                                                                                                            • _free.LIBCMT ref: 0045146B
                                                                                                                                                                            • _free.LIBCMT ref: 00451483
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                                                            • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                            • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                                                                                                            • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                            • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                                                                                                            Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                                                                                                                              • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                                                                                                                              • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                                                                                                                                                              • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                                                                                                                                                              • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                                            • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                                                            • API String ID: 1913171305-3159800282
                                                                                                                                                                            • Opcode ID: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                                                                                                                                            • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                                                                                                                            • Opcode Fuzzy Hash: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                                                                                                                            Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                            • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                                                                            • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                                                                                                            • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                                                                            • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                                                                                                            Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00455D6F
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00455D76
                                                                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00455D8C
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00455D95
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00455F31
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00455F38
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                            • String ID: H
                                                                                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                                                                                            • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                                                            • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                                                                                                            • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                                                            • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                                                                                                            Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                                                                                                            • __freea.LIBCMT ref: 0044AEB0
                                                                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                                            • __freea.LIBCMT ref: 0044AEB9
                                                                                                                                                                            • __freea.LIBCMT ref: 0044AEDE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                            • String ID: PkGNG$tC
                                                                                                                                                                            • API String ID: 3864826663-4196309852
                                                                                                                                                                            • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                                                                                                                                            • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                                                                                                            • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                                                                                                                                            • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                                                                                                            Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free
                                                                                                                                                                            • String ID: \&G$\&G$`&G
                                                                                                                                                                            • API String ID: 269201875-253610517
                                                                                                                                                                            • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                                                                                                                                            • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                                                                                                            • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                                                                                                                                            • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                                                                                                            Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 65535$udp
                                                                                                                                                                            • API String ID: 0-1267037602
                                                                                                                                                                            • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                                                            • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                                                                                                            • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                                                            • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                                                                                                            Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                                                                                              • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                                            • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                                                            • API String ID: 911427763-3954389425
                                                                                                                                                                            • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                                                                                                                                            • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                                                                                                                                            • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                                                                                                                                            • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                                                                                                                                            Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LongNamePath
                                                                                                                                                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                                            • API String ID: 82841172-425784914
                                                                                                                                                                            • Opcode ID: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                                                                                                                                            • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                                                                                                            • Opcode Fuzzy Hash: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                                                                                                            Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0043A926
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0043A963
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                                                                                                            • _free.LIBCMT ref: 0043A9C3
                                                                                                                                                                            • _free.LIBCMT ref: 0043A9CA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2441525078-0
                                                                                                                                                                            • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                                                                                                                            • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                                                                                                            • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                                                                                                                            • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                                                                                                            Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                                                                                            • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                                                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                                                                                                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                                            • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                                            • API String ID: 2956720200-749203953
                                                                                                                                                                            • Opcode ID: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                                                                                                                                            • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                                                                                                                            • Opcode Fuzzy Hash: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                                                                                                                                            • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                                                                                                                            Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                                                                                                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                                                                            • String ID: 0VG$0VG$<$@$Temp
                                                                                                                                                                            • API String ID: 1704390241-2575729100
                                                                                                                                                                            • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                                                                                                                                            • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                                                                                                                            • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                                                                                                                                            • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                                                                                                            Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenClipboard.USER32 ref: 0041697C
                                                                                                                                                                            • EmptyClipboard.USER32 ref: 0041698A
                                                                                                                                                                            • CloseClipboard.USER32 ref: 00416990
                                                                                                                                                                            • OpenClipboard.USER32 ref: 00416997
                                                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                                                            • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                                                            • String ID: !D@
                                                                                                                                                                            • API String ID: 2172192267-604454484
                                                                                                                                                                            • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                                                                                                                                            • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                                                                                                                            • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                                                                                                                                            • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                                                                                                            Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                                                                                                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 297527592-0
                                                                                                                                                                            • Opcode ID: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                                                                                                                                            • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                                                                                                                            • Opcode Fuzzy Hash: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                                                                                                                                            • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                                                                                                            Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                                                            • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                                                                                                                                            • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                                                                                                            • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                                                                                                                                            • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                                                                                                            Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 004481B5
                                                                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                            • _free.LIBCMT ref: 004481C1
                                                                                                                                                                            • _free.LIBCMT ref: 004481CC
                                                                                                                                                                            • _free.LIBCMT ref: 004481D7
                                                                                                                                                                            • _free.LIBCMT ref: 004481E2
                                                                                                                                                                            • _free.LIBCMT ref: 004481ED
                                                                                                                                                                            • _free.LIBCMT ref: 004481F8
                                                                                                                                                                            • _free.LIBCMT ref: 00448203
                                                                                                                                                                            • _free.LIBCMT ref: 0044820E
                                                                                                                                                                            • _free.LIBCMT ref: 0044821C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                                                            • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                                                                                                            • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                                                            • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                                                                                                            Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Eventinet_ntoa
                                                                                                                                                                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                                                                                                                            • API String ID: 3578746661-3604713145
                                                                                                                                                                            • Opcode ID: f263e4c13fc2064b78efa21c35b83796e15668e555435fd99ba599c6ad5ca075
                                                                                                                                                                            • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                                                                                                                            • Opcode Fuzzy Hash: f263e4c13fc2064b78efa21c35b83796e15668e555435fd99ba599c6ad5ca075
                                                                                                                                                                            • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                                                                                                                            Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DecodePointer
                                                                                                                                                                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                            • API String ID: 3527080286-3064271455
                                                                                                                                                                            • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                                                                                                            • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                                                                                                                                            • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                                                                                                            • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                                                                                                                                            Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                                                                                                                            • __fassign.LIBCMT ref: 0044B4F9
                                                                                                                                                                            • __fassign.LIBCMT ref: 0044B514
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                                                                                                            • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 1324828854-263838557
                                                                                                                                                                            • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                                                            • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                                                                                                            • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                                                            • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                                                                                                            Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                                                                                              • Part of subcall function 0041C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                                                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                                                            • API String ID: 1462127192-2001430897
                                                                                                                                                                            • Opcode ID: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                                                                                                                                            • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                                                                                                                            • Opcode Fuzzy Hash: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                                                                                                                                            • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                                                                                                                            Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe), ref: 004074D9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                                                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                                                                            • API String ID: 2050909247-4242073005
                                                                                                                                                                            • Opcode ID: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                                                                                                                                            • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                                                                                                                            • Opcode Fuzzy Hash: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                                                                                                                                            • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                                                                                                                            Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _strftime.LIBCMT ref: 00401D50
                                                                                                                                                                              • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                                                            • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                                                                                                                                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                                                                                                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                                            • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                                                                                                                            • API String ID: 3809562944-243156785
                                                                                                                                                                            • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                                                                                                                                            • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                                                                                                                                            • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                                                                                                                            Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                                                                                                            • int.LIBCPMT ref: 00410EBC
                                                                                                                                                                              • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                                                              • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                                                                            • String ID: ,kG$0kG
                                                                                                                                                                            • API String ID: 3815856325-2015055088
                                                                                                                                                                            • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                                                                                                                                            • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                                                                                                                            • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                                                                                                                                            • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                                                                                                                            Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                                                                                                            • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                                                                                                                                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                                                                                                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                                                                                                            • waveInStart.WINMM ref: 00401CFE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                                                            • String ID: dMG$|MG$PG
                                                                                                                                                                            • API String ID: 1356121797-532278878
                                                                                                                                                                            • Opcode ID: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                                                                                                                                            • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                                                                                                                            • Opcode Fuzzy Hash: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                                                                                                                                            • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                                                                                                            Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                                                                                              • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                                                                                              • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                                                                                              • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                                                                                                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                                                                                                            • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                                                                                                                            • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                                                                                                            • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                                                            • String ID: Remcos
                                                                                                                                                                            • API String ID: 1970332568-165870891
                                                                                                                                                                            • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                                                                            • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                                                                                                                            • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                                                                            • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                                                                                                                            Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                                                                                                                                            • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                                                                                                            • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                                                                                                                                            • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                                                                                                            Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                                                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                                                                                                                                                            • __freea.LIBCMT ref: 00454083
                                                                                                                                                                            • __freea.LIBCMT ref: 0045408F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 201697637-0
                                                                                                                                                                            • Opcode ID: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                                                                                                                                            • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                                                                                                                                            • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                                                                                                            Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                                            • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                                                                                                            • _free.LIBCMT ref: 00445515
                                                                                                                                                                            • _free.LIBCMT ref: 0044552E
                                                                                                                                                                            • _free.LIBCMT ref: 00445560
                                                                                                                                                                            • _free.LIBCMT ref: 00445569
                                                                                                                                                                            • _free.LIBCMT ref: 00445575
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                            • String ID: C
                                                                                                                                                                            • API String ID: 1679612858-1037565863
                                                                                                                                                                            • Opcode ID: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                                                                                                                                            • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                                                                                                            • Opcode Fuzzy Hash: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                                                                                                                                            • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                                                                                                            Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: tcp$udp
                                                                                                                                                                            • API String ID: 0-3725065008
                                                                                                                                                                            • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                                                            • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                                                                                                            • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                                                            • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                                                                                                            Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                                                                                            • ExitThread.KERNEL32 ref: 004018F6
                                                                                                                                                                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                                                                                                                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                                                            • String ID: PkG$XMG$NG$NG
                                                                                                                                                                            • API String ID: 1649129571-3151166067
                                                                                                                                                                            • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                                                                                                                                            • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                                                                                                                            • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                                                                                                                                            • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                                                                                                                            Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                                                                                              • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                                                                                                                                              • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                                            • String ID: .part
                                                                                                                                                                            • API String ID: 1303771098-3499674018
                                                                                                                                                                            • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                                                                                                                                            • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                                                                                                            • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                                                                                                                                            • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                                                                                                            Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendInput.USER32 ref: 00419A25
                                                                                                                                                                            • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                                                                                                            • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                                                                                              • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InputSend$Virtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1167301434-0
                                                                                                                                                                            • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                                                            • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                                                                                                            • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                                                            • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                                                                                                            Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __freea$__alloca_probe_16_free
                                                                                                                                                                            • String ID: a/p$am/pm$h{D
                                                                                                                                                                            • API String ID: 2936374016-2303565833
                                                                                                                                                                            • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                                                                                                                                            • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                                                                                                                                            • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                                                                                                            Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                                            • _free.LIBCMT ref: 00444E87
                                                                                                                                                                            • _free.LIBCMT ref: 00444E9E
                                                                                                                                                                            • _free.LIBCMT ref: 00444EBD
                                                                                                                                                                            • _free.LIBCMT ref: 00444ED8
                                                                                                                                                                            • _free.LIBCMT ref: 00444EEF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$AllocateHeap
                                                                                                                                                                            • String ID: KED
                                                                                                                                                                            • API String ID: 3033488037-2133951994
                                                                                                                                                                            • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                                                                                                                                            • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                                                                                                            • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                                                                                                                                            • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                                                                                                            Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Enum$InfoQueryValue
                                                                                                                                                                            • String ID: [regsplt]$xUG$TG
                                                                                                                                                                            • API String ID: 3554306468-1165877943
                                                                                                                                                                            • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                                                                                                                                            • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                                                                                                                            • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                                                                                                                                            • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                                                                                                                            Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                                                                                                                              • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                                                                              • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                                                                            • String ID: xUG$NG$NG$TG
                                                                                                                                                                            • API String ID: 3114080316-2811732169
                                                                                                                                                                            • Opcode ID: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                                                                                                                                            • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                                                                                                                            • Opcode Fuzzy Hash: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                                                                                                                                            • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                                                                                                                            Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                                                                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                                                                                                                                                            • __freea.LIBCMT ref: 0045129D
                                                                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 313313983-263838557
                                                                                                                                                                            • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                                                                                                                                            • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                                                                                                            • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                                                                                                                                            • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                                                                                                            Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                                              • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                                                                              • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                                                                                                                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                                                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                                                            • API String ID: 1133728706-4073444585
                                                                                                                                                                            • Opcode ID: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                                                                                                                                            • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                                                                                                                            • Opcode Fuzzy Hash: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                                                                                                                                            • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                                                                                                                            Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                                                                                                                                            • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                                                                                                            • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                                                                                                                                            • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                                                                                                            Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                                                                                                            • _free.LIBCMT ref: 00450FC8
                                                                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                            • _free.LIBCMT ref: 00450FD3
                                                                                                                                                                            • _free.LIBCMT ref: 00450FDE
                                                                                                                                                                            • _free.LIBCMT ref: 00451032
                                                                                                                                                                            • _free.LIBCMT ref: 0045103D
                                                                                                                                                                            • _free.LIBCMT ref: 00451048
                                                                                                                                                                            • _free.LIBCMT ref: 00451053
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                            • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                                                                                                            • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                            • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                                                                                                            Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                                                                                                            • int.LIBCPMT ref: 004111BE
                                                                                                                                                                              • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                                                              • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                            • String ID: (mG
                                                                                                                                                                            • API String ID: 2536120697-4059303827
                                                                                                                                                                            • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                                                                                                                                            • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                                                                                                                            • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                                                                                                                                            • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                                                                                                                            Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                            • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                                                            • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                                                                                                            • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                                                            • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                                                                                                            Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe), ref: 0040760B
                                                                                                                                                                              • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                                                                                              • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                                                            • CoUninitialize.OLE32 ref: 00407664
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                                                            • String ID: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                                                            • API String ID: 3851391207-3868434948
                                                                                                                                                                            • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                                                            • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                                                                                                            • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                                                            • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                                                                                                            Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040BB22
                                                                                                                                                                            Strings
                                                                                                                                                                            • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                                                                                                            • UserProfile, xrefs: 0040BAE8
                                                                                                                                                                            • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                                                                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                                                            • API String ID: 2018770650-304995407
                                                                                                                                                                            • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                                                                                                                                            • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                                                                                                            • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                                                                                                                                            • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                                                                                                            Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                                                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Console$AllocOutputShowWindow
                                                                                                                                                                            • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                                                                                                                                                            • API String ID: 2425139147-2212855755
                                                                                                                                                                            • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                                                                            • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                                                                                                                            • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                                                                            • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                                                                                                                            Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                            • String ID: CorExitProcess$PkGNG$mscoree.dll
                                                                                                                                                                            • API String ID: 4061214504-213444651
                                                                                                                                                                            • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                                                            • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                                                                                                            • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                                                            • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                                                                                                            Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __allrem.LIBCMT ref: 0043ACE9
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                                                                                                            • __allrem.LIBCMT ref: 0043AD1C
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                                                                                                            • __allrem.LIBCMT ref: 0043AD51
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1992179935-0
                                                                                                                                                                            • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                                                                                            • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                                                                                                            • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                                                                                            • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                                                                                                            Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                                                                                                                                                              • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prologSleep
                                                                                                                                                                            • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                                                                                                            • API String ID: 3469354165-3054508432
                                                                                                                                                                            • Opcode ID: b4ffaf4d4bc36b92846901c683608e499d22e7149b7f9014ad6a348d41818569
                                                                                                                                                                            • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                                                                                                                            • Opcode Fuzzy Hash: b4ffaf4d4bc36b92846901c683608e499d22e7149b7f9014ad6a348d41818569
                                                                                                                                                                            • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                                                                                                                            Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                                                                                                            • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                                                                                                            • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                                                                                                                            • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                                                                                                                                                              • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                                                                                                                                                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                                                                                                                                                              • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                                                                                                                                              • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3950776272-0
                                                                                                                                                                            • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                                                                                                                                            • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                                                                                                            • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                                                                                                                                            • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                                                                                                            Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __cftoe
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4189289331-0
                                                                                                                                                                            • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                                                                                                                                            • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                                                                                                            • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                                                                                                                                            • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                                                                                                            Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                                                                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 493672254-0
                                                                                                                                                                            • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                                                                                                                                            • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                                                                                                            • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                                                                                                                                            • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                                                                                                            Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __alldvrm$_strrchr
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 1036877536-263838557
                                                                                                                                                                            • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                                                                                                                                            • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                                                                                                            • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                                                                                                                                            • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                                                                                                            Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                                            • _free.LIBCMT ref: 004482CC
                                                                                                                                                                            • _free.LIBCMT ref: 004482F4
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                                            • _abort.LIBCMT ref: 00448313
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3160817290-0
                                                                                                                                                                            • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                                                            • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                                                                                                            • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                                                            • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                                                                                                            Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                                                            • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                                                                                                                                            • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                                                                                                            • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                                                                                                                                            • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                                                                                                            Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                                                                                                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                                                            • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                                                                                                                                            • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                                                                                                            • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                                                                                                                                            • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                                                                                                            Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                                                                                                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                                                            • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                                                                                                                                            • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                                                                                                                                            • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                                                                                                            Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free
                                                                                                                                                                            • String ID: @^E
                                                                                                                                                                            • API String ID: 269201875-2908066071
                                                                                                                                                                            • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                                                            • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                                                                                                            • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                                                            • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                                                                                                            Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 0-263838557
                                                                                                                                                                            • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                                                            • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                                                                                                            • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                                                            • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                                                                                                            Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00404DDB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 3360349984-263838557
                                                                                                                                                                            • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                                                                                                                                            • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                                                                                                            • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                                                                                                                                            • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                                                                                            Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                                                                                                                            • wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                              • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EventLocalTimewsprintf
                                                                                                                                                                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                                                                            • API String ID: 1497725170-248792730
                                                                                                                                                                            • Opcode ID: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                                                                                                                                            • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                                                                                                            • Opcode Fuzzy Hash: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                                                                                                            Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                                                            • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                                                            • String ID: XQG
                                                                                                                                                                            • API String ID: 1958988193-3606453820
                                                                                                                                                                            • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                                                                                                                                            • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                                                                                                                            • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                                                                                                                                            • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                                                                                                                            Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                                                                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041D611
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                                                            • String ID: 0$MsgWindowClass
                                                                                                                                                                            • API String ID: 2877667751-2410386613
                                                                                                                                                                            • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                                                            • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                                                                                                            • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                                                                                                            Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                                                                                                            Strings
                                                                                                                                                                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                                                                                                            • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                                            • API String ID: 2922976086-4183131282
                                                                                                                                                                            • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                                                            • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                                                                                                            • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                                                            • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                                                                                                            Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: SG$C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe
                                                                                                                                                                            • API String ID: 0-2560790889
                                                                                                                                                                            • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                                                                                                                                            • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                                                                                                                            • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                                                                                                                                            • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                                                                                                                            Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 0040512C
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00405140
                                                                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                                            • String ID: KeepAlive | Disabled
                                                                                                                                                                            • API String ID: 2993684571-305739064
                                                                                                                                                                            • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                                                                                                                                            • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                                                                                                            • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                                                                                                                                            • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                                                                                                            Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                                                                                                            • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                                                                                                            • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                                                                                                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                                                            • String ID: Alarm triggered
                                                                                                                                                                            • API String ID: 614609389-2816303416
                                                                                                                                                                            • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                                                                                                                                            • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                                                                                                            • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                                                                                                            Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                                                                                                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                                                                                                                            Strings
                                                                                                                                                                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                                                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                                                            • API String ID: 3024135584-2418719853
                                                                                                                                                                            • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                                                            • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                                                                                                            • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                                                            • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                                                                                                            Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                                                                                                                                            • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                                                                                                            • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                                                                                                                                            • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                                                                                                            Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                                                                                              • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                                                                                                                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4269425633-0
                                                                                                                                                                            • Opcode ID: 73b334f8cf36ed71725f842c358092b271b71775af86fb3c9ec045b7f77a6464
                                                                                                                                                                            • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                                                                                                                            • Opcode Fuzzy Hash: 73b334f8cf36ed71725f842c358092b271b71775af86fb3c9ec045b7f77a6464
                                                                                                                                                                            • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                                                                                                            Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                            • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                                                            • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                                                            • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                                                                                                            Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                                                                                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                                                                                                            • _free.LIBCMT ref: 0044F43F
                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 336800556-0
                                                                                                                                                                            • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                                                                                                                                            • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                                                                                                            • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                                                                                                                                            • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                                                                                                            Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1852769593-0
                                                                                                                                                                            • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                                                            • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                                                                                                            • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                                                            • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                                                                                                            Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                                                                                                                                                            • _free.LIBCMT ref: 00448353
                                                                                                                                                                            • _free.LIBCMT ref: 0044837A
                                                                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 00448387
                                                                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 00448390
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3170660625-0
                                                                                                                                                                            • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                                                            • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                                                                                                            • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                                                            • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                                                                                                            Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 00450A54
                                                                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                            • _free.LIBCMT ref: 00450A66
                                                                                                                                                                            • _free.LIBCMT ref: 00450A78
                                                                                                                                                                            • _free.LIBCMT ref: 00450A8A
                                                                                                                                                                            • _free.LIBCMT ref: 00450A9C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                            • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                                                                                                            • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                            • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                                                                                                            Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 00444106
                                                                                                                                                                              • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                                            • _free.LIBCMT ref: 00444118
                                                                                                                                                                            • _free.LIBCMT ref: 0044412B
                                                                                                                                                                            • _free.LIBCMT ref: 0044413C
                                                                                                                                                                            • _free.LIBCMT ref: 0044414D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                            • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                                                                                                            • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                            • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                                                                                                            Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 0-263838557
                                                                                                                                                                            • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                                                                                                                                            • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                                                                                                                                                            • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                                                                                                                                            • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                                                                                                                                                            Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountEventTick
                                                                                                                                                                            • String ID: !D@$NG
                                                                                                                                                                            • API String ID: 180926312-2721294649
                                                                                                                                                                            • Opcode ID: 9995513762a4fd8edc495be866afed25eb4c32c1f3911c48c384adcc3b5f66be
                                                                                                                                                                            • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                                                                                                                            • Opcode Fuzzy Hash: 9995513762a4fd8edc495be866afed25eb4c32c1f3911c48c384adcc3b5f66be
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                                                                                                                            Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                                                                                                                              • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                                                                                              • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                                                                                                                                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                                                                                                            • String ID: XQG$NG$PG
                                                                                                                                                                            • API String ID: 1634807452-3565412412
                                                                                                                                                                            • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                                                                                                                                            • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                                                                                                                                            • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                                                                                                                                            • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                                                                                                                                            Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe,00000104), ref: 00443515
                                                                                                                                                                            • _free.LIBCMT ref: 004435E0
                                                                                                                                                                            • _free.LIBCMT ref: 004435EA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                                                                            • String ID: C:\Users\user\Desktop\EIuz8Bk9kGav2ix.exe
                                                                                                                                                                            • API String ID: 2506810119-1934106131
                                                                                                                                                                            • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                                                            • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                                                                                                            • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                                                            • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                                                                                                            Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0044B9B1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 2456169464-263838557
                                                                                                                                                                            • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                                                                                                                                            • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                                                                                                                                                            • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                                                                                                                                            • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                                                                                                                                                            Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                                                                                              • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                                                                                                                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                                                                                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                                                                                              • Part of subcall function 0041C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                                            • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                                            • String ID: /sort "Visit Time" /stext "$0NG
                                                                                                                                                                            • API String ID: 368326130-3219657780
                                                                                                                                                                            • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                                                                                                                                            • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                                                                                                                            • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                                                                                                                                            • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                                                                                                                            Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00416330
                                                                                                                                                                              • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                                              • Part of subcall function 004138B2: RegSetValueExA.KERNELBASE(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                                                                              • Part of subcall function 004138B2: RegCloseKey.KERNELBASE(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                                                                              • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen$CloseCreateValue
                                                                                                                                                                            • String ID: !D@$okmode$PG
                                                                                                                                                                            • API String ID: 3411444782-3370592832
                                                                                                                                                                            • Opcode ID: daa606be5f890dd41bf4520ea31fc1fcd77c876229317bee2e8551f29a719760
                                                                                                                                                                            • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                                                                                                                            • Opcode Fuzzy Hash: daa606be5f890dd41bf4520ea31fc1fcd77c876229317bee2e8551f29a719760
                                                                                                                                                                            • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                                                                                                                            Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                                                                                                                            Strings
                                                                                                                                                                            • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                                                                                                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExistsFilePath
                                                                                                                                                                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                                            • API String ID: 1174141254-1980882731
                                                                                                                                                                            • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                                                                                                                                            • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                                                                                                            • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                                                                                                                                            • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                                                                                                            Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                                                                                                                            Strings
                                                                                                                                                                            • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                                                                                                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExistsFilePath
                                                                                                                                                                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                                            • API String ID: 1174141254-1980882731
                                                                                                                                                                            • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                                                                                                                                            • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                                                                                                            • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                                                                                                                                            • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                                                                                                            Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                                                                                                                                                              • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                                                                                                                              • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                                            • String ID: Offline Keylogger Started
                                                                                                                                                                            • API String ID: 465354869-4114347211
                                                                                                                                                                            • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                                                                                                                                            • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                                                                                                            • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                                                                                                                                            • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                                                                                                            Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                                                                                                                              • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                                            • String ID: Online Keylogger Started
                                                                                                                                                                            • API String ID: 112202259-1258561607
                                                                                                                                                                            • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                                                                                                                                            • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                                                                                                            • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                                                                                                                                            • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                                                                                                            Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LocalTime
                                                                                                                                                                            • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                                                                                                                                                            • API String ID: 481472006-3277280411
                                                                                                                                                                            • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                                                                                                                                            • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                                                                                                                            • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                                                                                                                                            • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                                                                                                                            Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                                                                                                                                                            Strings
                                                                                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create$EventLocalThreadTime
                                                                                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                            • API String ID: 2532271599-1507639952
                                                                                                                                                                            • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                                                                                                                                            • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                                                                                                                            • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                                                                                                                                            • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                                                                                                                            Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                            • String ID: CryptUnprotectData$crypt32
                                                                                                                                                                            • API String ID: 2574300362-2380590389
                                                                                                                                                                            • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                                                                            • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                                                                                                                            • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                                                                            • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                                                                                                                            Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0044C316
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0044C31D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 2336955059-263838557
                                                                                                                                                                            • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                                                                                                                                            • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                                                                                                                                                            • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                                                                                                                                            • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                                                                                                                                                            Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                                            • String ID: Connection Timeout
                                                                                                                                                                            • API String ID: 2055531096-499159329
                                                                                                                                                                            • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                                                                                                                                            • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                                                                                                                            • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                                                                                                                                            • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                                                                                                                            Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Exception@8Throw
                                                                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                            • API String ID: 2005118841-1866435925
                                                                                                                                                                            • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                                                                                                                                            • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                                                                                                            • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                                                                                                                                            • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                                                                                                            Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                                                                                                                                                            • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FormatFreeLocalMessage
                                                                                                                                                                            • String ID: @J@$PkGNG
                                                                                                                                                                            • API String ID: 1427518018-1416487119
                                                                                                                                                                            • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                                                                                                                                            • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                                                                                                                                                            • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                                                                                                                                            • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                                                                                                                                                            Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                                                                                                                                                            • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,74DF37E0,?), ref: 00413888
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,74DF37E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                                                                                                                                                            Strings
                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateValue
                                                                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                                            • API String ID: 1818849710-1051519024
                                                                                                                                                                            • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                                                                                                                                            • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                                                                                                            • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                                                                                                                                            • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                                                                                                            Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                                                                                              • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                                                                                              • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                                            • API String ID: 3628047217-1405518554
                                                                                                                                                                            • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                                                                                                                                            • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                                                                                                                                            • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                                                                                                            Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                                                                                                            • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                                                                                                            • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                                                                                              • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                                                                                                                              • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                                                              • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                                                                                                                                            • String ID: !D@
                                                                                                                                                                            • API String ID: 3446828153-604454484
                                                                                                                                                                            • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                                                                                                                                            • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                                                                                                                                            • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                                                                                                                            Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExecuteShell
                                                                                                                                                                            • String ID: /C $cmd.exe$open
                                                                                                                                                                            • API String ID: 587946157-3896048727
                                                                                                                                                                            • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                                                                                                                                            • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                                                                                                            • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                                                                                                                                            • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                                                                                                            Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                            • String ID: GetCursorInfo$User32.dll
                                                                                                                                                                            • API String ID: 1646373207-2714051624
                                                                                                                                                                            • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                                                                                                            • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                                                                                                                                            • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                                                                                                            • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                                                                                                                                            Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                            • String ID: GetLastInputInfo$User32.dll
                                                                                                                                                                            • API String ID: 2574300362-1519888992
                                                                                                                                                                            • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                                                                                                            • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                                                                                                            • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                                                                                                                                            Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                                                                                                            • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                                            • API String ID: 3472027048-1236744412
                                                                                                                                                                            • Opcode ID: a3f0c992227adaa6d9cd66a901dd32694b668b89f8b487eaa10a17efeb8be6c7
                                                                                                                                                                            • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                                                                                                                            • Opcode Fuzzy Hash: a3f0c992227adaa6d9cd66a901dd32694b668b89f8b487eaa10a17efeb8be6c7
                                                                                                                                                                            • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                                                                                                                            Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                                                                                                                              • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                                                                                              • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                                            • String ID: [ $ ]
                                                                                                                                                                            • API String ID: 3309952895-93608704
                                                                                                                                                                            • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                                                                                                                                            • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                                                                                                            • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                                                                                                                                            • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                                                                                                            Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                                                            • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                                                                                                            • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                                                            • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                                                                                                            Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                                                            • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                                                                                                            • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                                                            • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                                                                                                            Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                                                                                              • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                                                                                                            • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2633735394-0
                                                                                                                                                                            • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                            • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                                                                                                            • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                            • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                                                                                                            Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                                                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                                                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                                                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MetricsSystem
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4116985748-0
                                                                                                                                                                            • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                                            • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                                                                                                            • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                                            • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                                                                                                            Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                                                                                                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                                                                                                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                                                                                              • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                                                                                                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1761009282-0
                                                                                                                                                                            • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                            • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                                                                                                            • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                            • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                                                                                                            Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                                                                            • String ID: pow
                                                                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                                                                            • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                                                            • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                                                                                                            • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                                                            • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                                                                                                            Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00449FAB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharErrorLastMultiWide
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 203985260-263838557
                                                                                                                                                                            • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                                                                                                                                            • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                                                                                                                                                            • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                                                                                                                                            • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                                                                                                                                                            Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Init_thread_footer__onexit
                                                                                                                                                                            • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                                                                            • API String ID: 1881088180-3686566968
                                                                                                                                                                            • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                                                                                                                                            • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                                                                                                                            • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                                                                                                                                            • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                                                                                                                            Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                                                            • API String ID: 0-711371036
                                                                                                                                                                            • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                                                            • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                                                                                                            • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                                                            • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                                                                                                            Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0044B884
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 442123175-263838557
                                                                                                                                                                            • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                                                                                                                                            • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                                                                                                                                                            • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                                                                                                                                            • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                                                                                                                                                            Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0044B796
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 442123175-263838557
                                                                                                                                                                            • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                                                                                                                                            • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                                                                                                                                                            • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                                                                                                                                            • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                                                                                                                                                            Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                                                                                            Strings
                                                                                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LocalTime
                                                                                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                            • API String ID: 481472006-1507639952
                                                                                                                                                                            • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                                                                                                                                            • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                                                                                                                            • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                                                                                                                                            • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                                                                                                                            Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNEL32 ref: 0041667B
                                                                                                                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DownloadFileSleep
                                                                                                                                                                            • String ID: !D@
                                                                                                                                                                            • API String ID: 1931167962-604454484
                                                                                                                                                                            • Opcode ID: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                                                                                                                                                            • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                                                                                                                            • Opcode Fuzzy Hash: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                                                                                                                                                            • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                                                                                                            Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExistsFilePath
                                                                                                                                                                            • String ID: alarm.wav$hYG
                                                                                                                                                                            • API String ID: 1174141254-2782910960
                                                                                                                                                                            • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                                                                                                                                            • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                                                                                                                                            • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                                                                                                                                            • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                                                                                                                                            Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                                                                                                                              • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                                                                                                            • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                                            • String ID: Online Keylogger Stopped
                                                                                                                                                                            • API String ID: 1623830855-1496645233
                                                                                                                                                                            • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                                                                                                                                            • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                                                                                                            • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                                                                                                                                            • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                                                                                                            Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String
                                                                                                                                                                            • String ID: LCMapStringEx$PkGNG
                                                                                                                                                                            • API String ID: 2568140703-1065776982
                                                                                                                                                                            • Opcode ID: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                                                                                                                                                            • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                                                                                                                                            • Opcode Fuzzy Hash: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                                                                                                                                                            • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                                                                                                                                            Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                                                                                                                                            • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: wave$BufferHeaderPrepare
                                                                                                                                                                            • String ID: XMG
                                                                                                                                                                            • API String ID: 2315374483-813777761
                                                                                                                                                                            • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                                                                                                            • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                                                                                                                            • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                                                                                                            • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                                                                                                                            Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LocaleValid
                                                                                                                                                                            • String ID: IsValidLocaleName$kKD
                                                                                                                                                                            • API String ID: 1901932003-3269126172
                                                                                                                                                                            • Opcode ID: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                                                                                                                                                            • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                                                                                                            • Opcode Fuzzy Hash: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                                                                                                                                                            • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                                                                                                            Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExistsFilePath
                                                                                                                                                                            • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                                                                            • API String ID: 1174141254-4188645398
                                                                                                                                                                            • Opcode ID: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                                                                                                                                            • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                                                                                                            • Opcode Fuzzy Hash: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                                                                                                                                            • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                                                                                                            Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExistsFilePath
                                                                                                                                                                            • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                                                                            • API String ID: 1174141254-2800177040
                                                                                                                                                                            • Opcode ID: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                                                                                                                                            • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                                                                                                            • Opcode Fuzzy Hash: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                                                                                                                                            • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                                                                                                            Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExistsFilePath
                                                                                                                                                                            • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                                                                            • API String ID: 1174141254-1629609700
                                                                                                                                                                            • Opcode ID: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                                                                                                                                            • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                                                                                                            • Opcode Fuzzy Hash: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                                                                                                                                            • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                                                                                                            Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                                                                                              • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                                                                                                                              • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                                                                              • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                                                                                              • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                                                                              • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                                                                                              • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                                                                                              • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                                                                                              • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                                            • String ID: [AltL]$[AltR]
                                                                                                                                                                            • API String ID: 2738857842-2658077756
                                                                                                                                                                            • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                                                                                                                                            • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                                                                                                            • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                                                                                                                                            • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                                                                                                            Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$FileSystem
                                                                                                                                                                            • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                                                                                                                                                            • API String ID: 2086374402-949981407
                                                                                                                                                                            • Opcode ID: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                                                                                                                                                            • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                                                                                                                                            • Opcode Fuzzy Hash: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                                                                                                                                                            • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                                                                                                                                            Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExecuteShell
                                                                                                                                                                            • String ID: !D@$open
                                                                                                                                                                            • API String ID: 587946157-1586967515
                                                                                                                                                                            • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                                                                                                                                            • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                                                                                                            • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                                                                                                                                            • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                                                                                                            Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___initconout.LIBCMT ref: 004555DB
                                                                                                                                                                              • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                                                                                                                                                                            • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ConsoleCreateFileWrite___initconout
                                                                                                                                                                            • String ID: PkGNG
                                                                                                                                                                            • API String ID: 3087715906-263838557
                                                                                                                                                                            • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                                                                                                                                            • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                                                                                                                                                            • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                                                                                                                                            • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                                                                                                                                                            Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: State
                                                                                                                                                                            • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                                            • API String ID: 1649606143-2446555240
                                                                                                                                                                            • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                                                                                                                                            • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                                                                                                            • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                                                                                                                                            • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                                                                                                            Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Init_thread_footer__onexit
                                                                                                                                                                            • String ID: ,kG$0kG
                                                                                                                                                                            • API String ID: 1881088180-2015055088
                                                                                                                                                                            • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                                                                                                                            • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                                                                                                                            • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                                                                                                                            • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                                                                                                                            Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                                                                                                                                                            • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                                                                                                                                                            Strings
                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DeleteOpenValue
                                                                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                                            • API String ID: 2654517830-1051519024
                                                                                                                                                                            • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                                            • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                                                                                                            • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                                            • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                                                                                                            Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00440D85
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1717984340-0
                                                                                                                                                                            • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                                                                                                                                            • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                                                                                                            • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                                                                                                            Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                                                                                                            • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                                                                                                                                                            • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000008.00000002.1708135190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_EIuz8Bk9kGav2ix.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4100373531-0
                                                                                                                                                                            • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                                                            • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                                                                                                            • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                                                            • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:13.9%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:18
                                                                                                                                                                            Total number of Limit Nodes:2
                                                                                                                                                                            execution_graph 13847 2e37770 13848 2e3777b 13847->13848 13850 2e37cb1 13847->13850 13851 2e37cd5 13850->13851 13855 2e37db1 13851->13855 13859 2e37dc0 13851->13859 13856 2e37dc0 13855->13856 13858 2e37ec4 13856->13858 13863 2e379d4 13856->13863 13860 2e37de7 13859->13860 13861 2e379d4 CreateActCtxA 13860->13861 13862 2e37ec4 13860->13862 13861->13862 13864 2e38e50 CreateActCtxA 13863->13864 13866 2e38f13 13864->13866 13866->13866 13867 2e3e7d8 13868 2e3e820 GetModuleHandleW 13867->13868 13869 2e3e81a 13867->13869 13870 2e3e84d 13868->13870 13869->13868

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 02E38E44 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1010 2e38e44-2e38f11 CreateActCtxA 1012 2e38f13-2e38f19 1010->1012 1013 2e38f1a-2e38f74 1010->1013 1012->1013 1020 2e38f83-2e38f87 1013->1020 1021 2e38f76-2e38f79 1013->1021 1022 2e38f89-2e38f95 1020->1022 1023 2e38f98 1020->1023 1021->1020 1022->1023 1025 2e38f99 1023->1025 1025->1025
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 02E38F01
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1796476647.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_2e30000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: ef2b6dd2316927ed4eb1fad6b325801c3031129c1e3af41d5680bf89f3c99753
                                                                                                                                                                            • Instruction ID: 544e98c911a21c2e18af8c3db90ba0f2fb79403637a4bc8c5dd6b690143b0d64
                                                                                                                                                                            • Opcode Fuzzy Hash: ef2b6dd2316927ed4eb1fad6b325801c3031129c1e3af41d5680bf89f3c99753
                                                                                                                                                                            • Instruction Fuzzy Hash: 4541CEB0C0071DCEDB24CFA9C888BDDBBB2BF48304F20815AD409AB255DB756946CF90
                                                                                                                                                                            Function 02E379D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1026 2e379d4-2e38f11 CreateActCtxA 1029 2e38f13-2e38f19 1026->1029 1030 2e38f1a-2e38f74 1026->1030 1029->1030 1037 2e38f83-2e38f87 1030->1037 1038 2e38f76-2e38f79 1030->1038 1039 2e38f89-2e38f95 1037->1039 1040 2e38f98 1037->1040 1038->1037 1039->1040 1042 2e38f99 1040->1042 1042->1042
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 02E38F01
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1796476647.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_2e30000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: 9071c7820dd807b5b785e899fb2c93867aa4c8d6e38681bbf35a9b0dcaf7efca
                                                                                                                                                                            • Instruction ID: 4f384a9a4b1eec0ff3d2d978e4b2561d8ba39fc0017e671fabdd476f5ca6ff78
                                                                                                                                                                            • Opcode Fuzzy Hash: 9071c7820dd807b5b785e899fb2c93867aa4c8d6e38681bbf35a9b0dcaf7efca
                                                                                                                                                                            • Instruction Fuzzy Hash: CE41C1B0C0071DCFDB24DFAAC848B9DBBB6BF49314F20805AE409AB251DB756945CF90
                                                                                                                                                                            Function 02E3E7D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02E3E83E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1796476647.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_2e30000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                            • Opcode ID: 359839d644c9fe5bfb704375c3b2c7d4cb27fc9c714c3b338dbc87899f50fbe0
                                                                                                                                                                            • Instruction ID: 768291ac877cb8fce4af2da3865f60b8b7a7bb0cb44a1a6bf5c1f8db627a5239
                                                                                                                                                                            • Opcode Fuzzy Hash: 359839d644c9fe5bfb704375c3b2c7d4cb27fc9c714c3b338dbc87899f50fbe0
                                                                                                                                                                            • Instruction Fuzzy Hash: 7511DFB6C003498FDB10DF9AD448A9EFBF4EF88324F18846AD419A7650D379A545CFA1
                                                                                                                                                                            Function 012CD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1794934338.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_12cd000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5dffd3e4cee4ceefdb53221a68688c5d7e4beaa9512fcdb3ec922989128fd588
                                                                                                                                                                            • Instruction ID: 01c9d2062f7e558b83b3fc42970ef37b6a6dd46a52ca58ee24c0174f02871cd3
                                                                                                                                                                            • Opcode Fuzzy Hash: 5dffd3e4cee4ceefdb53221a68688c5d7e4beaa9512fcdb3ec922989128fd588
                                                                                                                                                                            • Instruction Fuzzy Hash: 9A212471510209DFCB11DF58E8C0B26BF65FB94718F20C67DDA090A246C336D416C6E1
                                                                                                                                                                            Function 012CD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1794934338.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_12cd000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d91e6f675c8d2c9c1929f24bbb5b5542ca489fec45f806b4f267b743d1ea8860
                                                                                                                                                                            • Instruction ID: 3c1689f7562f3ca304993d4270e847a339aef17caee4674a41bae903f13e70a1
                                                                                                                                                                            • Opcode Fuzzy Hash: d91e6f675c8d2c9c1929f24bbb5b5542ca489fec45f806b4f267b743d1ea8860
                                                                                                                                                                            • Instruction Fuzzy Hash: B52102B5510209DFDB11DF48C9C0B66BB65FB94724F20C66CDB0A0B246C336E416CAE1
                                                                                                                                                                            Function 012DD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1795009494.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_12dd000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 26bcabdaeb15207e66ab820f02cb4699a5d07d2bb30e88612659bcb60507b084
                                                                                                                                                                            • Instruction ID: 494c04f619e8ceeb29cbb1ec08cd92c3796007df76beacdbad348329acf8ca96
                                                                                                                                                                            • Opcode Fuzzy Hash: 26bcabdaeb15207e66ab820f02cb4699a5d07d2bb30e88612659bcb60507b084
                                                                                                                                                                            • Instruction Fuzzy Hash: F3212575614608DFCB15DF68D8C4B16BBA5FBC4315F24C96DD90A0B386C376D407CA61
                                                                                                                                                                            Function 012DD006 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1795009494.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_12dd000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0b0742a7661db2e4b997b57fb2fc2f5aa1d87427d181e10399588400f07cb1cf
                                                                                                                                                                            • Instruction ID: 78120a122367ec23f627ab5cad444b32d1ef9669d18af9300564e2d2310bd136
                                                                                                                                                                            • Opcode Fuzzy Hash: 0b0742a7661db2e4b997b57fb2fc2f5aa1d87427d181e10399588400f07cb1cf
                                                                                                                                                                            • Instruction Fuzzy Hash: B221F3755083848FCB03CF24C994711BF71EB85314F28C5EAD9498B2A7C33AD80ACB62
                                                                                                                                                                            Function 012CD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1794934338.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_12cd000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction ID: 9430a4c8f340daec0886d81c4c7094ee5c35868ae75dfd6efe53d1b5deaf24d5
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction Fuzzy Hash: 9311E176544284CFCB12CF54E9C4B16BF72FB94724F24C6ADDA090B256C336D45ACBA1
                                                                                                                                                                            Function 012CD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1794934338.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_12cd000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction ID: 98bcec0929835f3957b55ea781224322a771941dbebf6441541660327f5763e6
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B11CA76504285DFDB12CF44D9C4B56BF72FB84224F24C2ADDA090A256C33AE45ACBA2
                                                                                                                                                                            Function 012CD731 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1794934338.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_12cd000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ccc5320a001b199572e41d0e272d1bb6d4be429b7e1f598e2f20d6ae0ae5cd0b
                                                                                                                                                                            • Instruction ID: 498abd4efa95ccc0ada390b68467ba80b481441bbce0ef3864a001dba8e7113d
                                                                                                                                                                            • Opcode Fuzzy Hash: ccc5320a001b199572e41d0e272d1bb6d4be429b7e1f598e2f20d6ae0ae5cd0b
                                                                                                                                                                            • Instruction Fuzzy Hash: 1701F7710183889AE7145AA9CCC4766BFD8DF50725F18C62EEF091A282D6789844C7F1
                                                                                                                                                                            Function 012CD730 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000A.00000002.1794934338.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_10_2_12cd000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f13af2f5597b99fa6e0283b58342ea58b9201d9d40abb73c357d8b515d6b7c07
                                                                                                                                                                            • Instruction ID: 9b392e981dfe79550ff4167f20e05f625fe485e3d9cc28193264dc680e9c6b22
                                                                                                                                                                            • Opcode Fuzzy Hash: f13af2f5597b99fa6e0283b58342ea58b9201d9d40abb73c357d8b515d6b7c07
                                                                                                                                                                            • Instruction Fuzzy Hash: D5F0C2320043889AE7148A19CC84B62FFD8EB80734F18C56EEE081A282C2799844CBB0

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:2.7%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:1659
                                                                                                                                                                            Total number of Limit Nodes:5
                                                                                                                                                                            execution_graph 6730 10007a80 6731 10007a8d 6730->6731 6732 1000637b _abort 20 API calls 6731->6732 6733 10007aa7 6732->6733 6734 1000571e _free 20 API calls 6733->6734 6735 10007ab3 6734->6735 6736 1000637b _abort 20 API calls 6735->6736 6740 10007ad9 6735->6740 6737 10007acd 6736->6737 6739 1000571e _free 20 API calls 6737->6739 6738 10005eb7 11 API calls 6738->6740 6739->6740 6740->6738 6741 10007ae5 6740->6741 7170 10007103 GetCommandLineA GetCommandLineW 7171 10005303 7174 100050a5 7171->7174 7183 1000502f 7174->7183 7177 1000502f 5 API calls 7178 100050c3 7177->7178 7179 10005000 20 API calls 7178->7179 7180 100050ce 7179->7180 7181 10005000 20 API calls 7180->7181 7182 100050d9 7181->7182 7184 10005048 7183->7184 7185 10002ada _ValidateLocalCookies 5 API calls 7184->7185 7186 10005069 7185->7186 7186->7177 6742 10009c88 6743 10009c95 6742->6743 6744 10009ca9 6743->6744 6749 10009ccd 6743->6749 6753 10009cc0 6743->6753 6745 10009cb0 6744->6745 6746 10009cc4 6744->6746 6748 10006368 _free 20 API calls 6745->6748 6747 10006332 __dosmaperr 20 API calls 6746->6747 6747->6753 6751 10009cb5 6748->6751 6752 10006368 _free 20 API calls 6749->6752 6749->6753 6750 10002ada _ValidateLocalCookies 5 API calls 6754 10009d15 6750->6754 6755 10006355 __dosmaperr 20 API calls 6751->6755 6756 10009cf2 6752->6756 6753->6750 6755->6753 6757 10006355 __dosmaperr 20 API calls 6756->6757 6757->6753 6758 10008a89 6761 10006d60 6758->6761 6762 10006d69 6761->6762 6763 10006d72 6761->6763 6765 10006c5f 6762->6765 6766 10005af6 _abort 38 API calls 6765->6766 6767 10006c6c 6766->6767 6768 10006d7e 38 API calls 6767->6768 6769 10006c74 6768->6769 6785 100069f3 6769->6785 6772 10006c8b 6772->6763 6777 1000571e _free 20 API calls 6777->6772 6778 10006cc9 6779 10006368 _free 20 API calls 6778->6779 6784 10006cce 6779->6784 6780 10006d12 6780->6784 6809 100068c9 6780->6809 6781 10006ce6 6781->6780 6782 1000571e _free 20 API calls 6781->6782 6782->6780 6784->6777 6786 100054a7 38 API calls 6785->6786 6787 10006a05 6786->6787 6788 10006a14 GetOEMCP 6787->6788 6789 10006a26 6787->6789 6791 10006a3d 6788->6791 6790 10006a2b GetACP 6789->6790 6789->6791 6790->6791 6791->6772 6792 100056d0 6791->6792 6793 1000570e 6792->6793 6797 100056de _abort 6792->6797 6794 10006368 _free 20 API calls 6793->6794 6796 1000570c 6794->6796 6795 100056f9 RtlAllocateHeap 6795->6796 6795->6797 6796->6784 6799 10006e20 6796->6799 6797->6793 6797->6795 6798 1000474f _abort 7 API calls 6797->6798 6798->6797 6800 100069f3 40 API calls 6799->6800 6801 10006e3f 6800->6801 6804 10006e90 IsValidCodePage 6801->6804 6806 10006e46 6801->6806 6808 10006eb5 ___scrt_fastfail 6801->6808 6802 10002ada _ValidateLocalCookies 5 API calls 6803 10006cc1 6802->6803 6803->6778 6803->6781 6805 10006ea2 GetCPInfo 6804->6805 6804->6806 6805->6806 6805->6808 6806->6802 6812 10006acb GetCPInfo 6808->6812 6885 10006886 6809->6885 6811 100068ed 6811->6784 6813 10006baf 6812->6813 6815 10006b05 6812->6815 6817 10002ada _ValidateLocalCookies 5 API calls 6813->6817 6822 100086e4 6815->6822 6819 10006c5b 6817->6819 6819->6806 6821 10008a3e 43 API calls 6821->6813 6823 100054a7 38 API calls 6822->6823 6824 10008704 MultiByteToWideChar 6823->6824 6826 10008742 6824->6826 6827 100087da 6824->6827 6830 100056d0 21 API calls 6826->6830 6833 10008763 ___scrt_fastfail 6826->6833 6828 10002ada _ValidateLocalCookies 5 API calls 6827->6828 6831 10006b66 6828->6831 6829 100087d4 6841 10008801 6829->6841 6830->6833 6836 10008a3e 6831->6836 6833->6829 6834 100087a8 MultiByteToWideChar 6833->6834 6834->6829 6835 100087c4 GetStringTypeW 6834->6835 6835->6829 6837 100054a7 38 API calls 6836->6837 6838 10008a51 6837->6838 6845 10008821 6838->6845 6842 1000880d 6841->6842 6843 1000881e 6841->6843 6842->6843 6844 1000571e _free 20 API calls 6842->6844 6843->6827 6844->6843 6847 1000883c 6845->6847 6846 10008862 MultiByteToWideChar 6848 10008a16 6846->6848 6849 1000888c 6846->6849 6847->6846 6850 10002ada _ValidateLocalCookies 5 API calls 6848->6850 6854 100056d0 21 API calls 6849->6854 6856 100088ad 6849->6856 6851 10006b87 6850->6851 6851->6821 6852 100088f6 MultiByteToWideChar 6853 10008962 6852->6853 6855 1000890f 6852->6855 6858 10008801 __freea 20 API calls 6853->6858 6854->6856 6872 10005f19 6855->6872 6856->6852 6856->6853 6858->6848 6860 10008971 6862 100056d0 21 API calls 6860->6862 6866 10008992 6860->6866 6861 10008939 6861->6853 6863 10005f19 11 API calls 6861->6863 6862->6866 6863->6853 6864 10008a07 6865 10008801 __freea 20 API calls 6864->6865 6865->6853 6866->6864 6867 10005f19 11 API calls 6866->6867 6868 100089e6 6867->6868 6868->6864 6869 100089f5 WideCharToMultiByte 6868->6869 6869->6864 6870 10008a35 6869->6870 6871 10008801 __freea 20 API calls 6870->6871 6871->6853 6873 10005c45 _abort 5 API calls 6872->6873 6874 10005f40 6873->6874 6877 10005f49 6874->6877 6880 10005fa1 6874->6880 6878 10002ada _ValidateLocalCookies 5 API calls 6877->6878 6879 10005f9b 6878->6879 6879->6853 6879->6860 6879->6861 6881 10005c45 _abort 5 API calls 6880->6881 6882 10005fc8 6881->6882 6883 10002ada _ValidateLocalCookies 5 API calls 6882->6883 6884 10005f89 LCMapStringW 6883->6884 6884->6877 6886 10006892 ___DestructExceptionObject 6885->6886 6893 10005671 RtlEnterCriticalSection 6886->6893 6888 1000689c 6894 100068f1 6888->6894 6892 100068b5 _abort 6892->6811 6893->6888 6906 10007011 6894->6906 6896 1000693f 6897 10007011 26 API calls 6896->6897 6898 1000695b 6897->6898 6899 10007011 26 API calls 6898->6899 6900 10006979 6899->6900 6901 100068a9 6900->6901 6902 1000571e _free 20 API calls 6900->6902 6903 100068bd 6901->6903 6902->6901 6920 100056b9 RtlLeaveCriticalSection 6903->6920 6905 100068c7 6905->6892 6907 10007022 6906->6907 6916 1000701e 6906->6916 6908 10007029 6907->6908 6912 1000703c ___scrt_fastfail 6907->6912 6909 10006368 _free 20 API calls 6908->6909 6910 1000702e 6909->6910 6911 100062ac _abort 26 API calls 6910->6911 6911->6916 6913 10007073 6912->6913 6914 1000706a 6912->6914 6912->6916 6913->6916 6918 10006368 _free 20 API calls 6913->6918 6915 10006368 _free 20 API calls 6914->6915 6917 1000706f 6915->6917 6916->6896 6919 100062ac _abort 26 API calls 6917->6919 6918->6917 6919->6916 6920->6905 6921 1000508a 6922 100050a2 6921->6922 6923 1000509c 6921->6923 6924 10005000 20 API calls 6923->6924 6924->6922 6020 1000220c 6021 10002215 6020->6021 6022 1000221a dllmain_dispatch 6020->6022 6024 100022b1 6021->6024 6025 100022c7 6024->6025 6027 100022d0 6025->6027 6028 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6025->6028 6027->6022 6028->6027 6925 10003c90 RtlUnwind 6029 10002418 6030 10002420 ___scrt_release_startup_lock 6029->6030 6033 100047f5 6030->6033 6032 10002448 6034 10004804 6033->6034 6035 10004808 6033->6035 6034->6032 6038 10004815 6035->6038 6039 10005b7a _abort 20 API calls 6038->6039 6042 1000482c 6039->6042 6040 10002ada _ValidateLocalCookies 5 API calls 6041 10004811 6040->6041 6041->6032 6042->6040 6926 10004a9a 6929 10005411 6926->6929 6930 1000541d _abort 6929->6930 6931 10005af6 _abort 38 API calls 6930->6931 6934 10005422 6931->6934 6932 100055a8 _abort 38 API calls 6933 1000544c 6932->6933 6934->6932 7578 1000679a 7579 100067a4 7578->7579 7580 100067b4 7579->7580 7582 1000571e _free 20 API calls 7579->7582 7581 1000571e _free 20 API calls 7580->7581 7583 100067bb 7581->7583 7582->7579 6043 1000281c 6046 10002882 6043->6046 6049 10003550 6046->6049 6048 1000282a 6050 1000355d 6049->6050 6053 1000358a 6049->6053 6051 100047e5 ___std_exception_copy 21 API calls 6050->6051 6050->6053 6052 1000357a 6051->6052 6052->6053 6055 1000544d 6052->6055 6053->6048 6056 1000545a 6055->6056 6057 10005468 6055->6057 6056->6057 6062 1000547f 6056->6062 6058 10006368 _free 20 API calls 6057->6058 6059 10005470 6058->6059 6064 100062ac 6059->6064 6061 1000547a 6061->6053 6062->6061 6063 10006368 _free 20 API calls 6062->6063 6063->6059 6067 10006231 6064->6067 6066 100062b8 6066->6061 6068 10005b7a _abort 20 API calls 6067->6068 6069 10006247 6068->6069 6070 100062a6 6069->6070 6074 10006255 6069->6074 6078 100062bc IsProcessorFeaturePresent 6070->6078 6072 100062ab 6073 10006231 _abort 26 API calls 6072->6073 6075 100062b8 6073->6075 6076 10002ada _ValidateLocalCookies 5 API calls 6074->6076 6075->6066 6077 1000627c 6076->6077 6077->6066 6079 100062c7 6078->6079 6082 100060e2 6079->6082 6083 100060fe ___scrt_fastfail 6082->6083 6084 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6083->6084 6086 100061fb ___scrt_fastfail 6084->6086 6085 10002ada _ValidateLocalCookies 5 API calls 6087 10006219 GetCurrentProcess TerminateProcess 6085->6087 6086->6085 6087->6072 7587 100021a1 ___scrt_dllmain_exception_filter 6088 10009c23 6089 10009c56 6088->6089 6090 10009c28 6088->6090 6126 10009728 6089->6126 6091 10009c46 6090->6091 6092 10009c2d 6090->6092 6118 100098f5 6091->6118 6094 10009ccd 6092->6094 6111 10009807 6092->6111 6097 10006368 _free 20 API calls 6094->6097 6102 10009cc0 6094->6102 6099 10009cf2 6097->6099 6098 10009bf2 6098->6094 6101 10009ca9 6098->6101 6098->6102 6100 10006355 __dosmaperr 20 API calls 6099->6100 6100->6102 6104 10009cb0 6101->6104 6105 10009cc4 6101->6105 6103 10002ada _ValidateLocalCookies 5 API calls 6102->6103 6106 10009d15 6103->6106 6108 10006368 _free 20 API calls 6104->6108 6136 10006332 6105->6136 6109 10009cb5 6108->6109 6133 10006355 6109->6133 6113 10009816 6111->6113 6112 100098d8 6115 10002ada _ValidateLocalCookies 5 API calls 6112->6115 6113->6112 6114 10009894 WriteFile 6113->6114 6114->6113 6116 100098da GetLastError 6114->6116 6117 100098f1 6115->6117 6116->6112 6117->6098 6119 10009904 6118->6119 6120 10009a0f 6119->6120 6123 10009986 WideCharToMultiByte 6119->6123 6125 100099bb WriteFile 6119->6125 6121 10002ada _ValidateLocalCookies 5 API calls 6120->6121 6122 10009a1e 6121->6122 6122->6098 6124 10009a07 GetLastError 6123->6124 6123->6125 6124->6120 6125->6119 6125->6124 6131 10009737 6126->6131 6127 100097ea 6128 10002ada _ValidateLocalCookies 5 API calls 6127->6128 6130 10009803 6128->6130 6129 100097a9 WriteFile 6129->6131 6132 100097ec GetLastError 6129->6132 6130->6098 6131->6127 6131->6129 6132->6127 6134 10005b7a _abort 20 API calls 6133->6134 6135 1000635a 6134->6135 6135->6102 6137 10006355 __dosmaperr 20 API calls 6136->6137 6138 1000633d _free 6137->6138 6139 10006368 _free 20 API calls 6138->6139 6140 10006350 6139->6140 6140->6102 5762 1000c7a7 5763 1000c7be 5762->5763 5769 1000c82c 5762->5769 5763->5769 5774 1000c7e6 GetModuleHandleA 5763->5774 5765 1000c872 5766 1000c835 GetModuleHandleA 5768 1000c83f 5766->5768 5767 1000c7dd 5767->5768 5767->5769 5771 1000c800 GetProcAddress 5767->5771 5768->5769 5770 1000c85f GetProcAddress 5768->5770 5769->5765 5769->5766 5769->5768 5770->5769 5771->5769 5772 1000c80d VirtualProtect 5771->5772 5772->5769 5773 1000c81c VirtualProtect 5772->5773 5773->5769 5775 1000c82c 5774->5775 5776 1000c7ef 5774->5776 5779 1000c872 5775->5779 5780 1000c835 GetModuleHandleA 5775->5780 5784 1000c83f 5775->5784 5786 1000c803 GetProcAddress 5776->5786 5778 1000c7f4 5778->5775 5781 1000c800 GetProcAddress 5778->5781 5780->5784 5781->5775 5782 1000c80d VirtualProtect 5781->5782 5782->5775 5783 1000c81c VirtualProtect 5782->5783 5783->5775 5784->5775 5785 1000c85f GetProcAddress 5784->5785 5785->5775 5787 1000c82c 5786->5787 5788 1000c80d VirtualProtect 5786->5788 5790 1000c872 5787->5790 5791 1000c835 GetModuleHandleA 5787->5791 5788->5787 5789 1000c81c VirtualProtect 5788->5789 5789->5787 5793 1000c83f 5791->5793 5792 1000c85f GetProcAddress 5792->5793 5793->5787 5793->5792 7588 10009fa7 7589 10006368 _free 20 API calls 7588->7589 7590 10009fac 7589->7590 6141 1000742b 6142 10007430 6141->6142 6143 10007453 6142->6143 6145 10008bae 6142->6145 6146 10008bdd 6145->6146 6147 10008bbb 6145->6147 6146->6142 6148 10008bd7 6147->6148 6149 10008bc9 RtlDeleteCriticalSection 6147->6149 6150 1000571e _free 20 API calls 6148->6150 6149->6148 6149->6149 6150->6146 6935 100060ac 6936 100060dd 6935->6936 6938 100060b7 6935->6938 6937 100060c7 FreeLibrary 6937->6938 6938->6936 6938->6937 6939 1000aeac 6940 1000aeb5 6939->6940 6941 10008cc1 21 API calls 6940->6941 6942 1000aebb 6941->6942 6943 1000aedd 6942->6943 6944 10006332 __dosmaperr 20 API calls 6942->6944 6944->6943 6151 10005630 6152 1000563b 6151->6152 6154 10005664 6152->6154 6155 10005660 6152->6155 6157 10005eb7 6152->6157 6164 10005688 6154->6164 6158 10005c45 _abort 5 API calls 6157->6158 6159 10005ede 6158->6159 6160 10005efc InitializeCriticalSectionAndSpinCount 6159->6160 6161 10005ee7 6159->6161 6160->6161 6162 10002ada _ValidateLocalCookies 5 API calls 6161->6162 6163 10005f13 6162->6163 6163->6152 6165 10005695 6164->6165 6167 100056b4 6164->6167 6166 1000569f RtlDeleteCriticalSection 6165->6166 6166->6166 6166->6167 6167->6155 6949 100096b2 6956 10008dbc 6949->6956 6951 100096c7 6952 100096c2 6952->6951 6953 10005af6 _abort 38 API calls 6952->6953 6954 100096ea 6953->6954 6954->6951 6955 10009708 GetConsoleMode 6954->6955 6955->6951 6957 10008dc9 6956->6957 6959 10008dd6 6956->6959 6958 10006368 _free 20 API calls 6957->6958 6961 10008dce 6958->6961 6960 10006368 _free 20 API calls 6959->6960 6962 10008de2 6959->6962 6963 10008e03 6960->6963 6961->6952 6962->6952 6964 100062ac _abort 26 API calls 6963->6964 6964->6961 6965 10003eb3 6966 10005411 38 API calls 6965->6966 6967 10003ebb 6966->6967 7191 10008b34 7192 1000637b _abort 20 API calls 7191->7192 7194 10008b46 7192->7194 7193 1000571e _free 20 API calls 7195 10008ba5 7193->7195 7196 10005eb7 11 API calls 7194->7196 7197 10008b53 7194->7197 7196->7194 7197->7193 7198 10009b3c 7199 10006355 __dosmaperr 20 API calls 7198->7199 7200 10009b44 7199->7200 7201 10006368 _free 20 API calls 7200->7201 7202 10009b4b 7201->7202 7203 100062ac _abort 26 API calls 7202->7203 7204 10009b56 7203->7204 7205 10002ada _ValidateLocalCookies 5 API calls 7204->7205 7206 10009d15 7205->7206 6168 1000543d 6169 10005440 6168->6169 6172 100055a8 6169->6172 6183 10007613 6172->6183 6176 100055c2 IsProcessorFeaturePresent 6180 100055cd 6176->6180 6177 100055e0 6213 10004bc1 6177->6213 6179 100055b8 6179->6176 6179->6177 6182 100060e2 _abort 8 API calls 6180->6182 6182->6177 6216 10007581 6183->6216 6186 1000766e 6187 1000767a _abort 6186->6187 6188 10005b7a _abort 20 API calls 6187->6188 6192 100076a7 _abort 6187->6192 6193 100076a1 _abort 6187->6193 6188->6193 6189 100076f3 6190 10006368 _free 20 API calls 6189->6190 6191 100076f8 6190->6191 6194 100062ac _abort 26 API calls 6191->6194 6198 1000771f 6192->6198 6230 10005671 RtlEnterCriticalSection 6192->6230 6193->6189 6193->6192 6212 100076d6 6193->6212 6194->6212 6199 1000777e 6198->6199 6201 10007776 6198->6201 6209 100077a9 6198->6209 6231 100056b9 RtlLeaveCriticalSection 6198->6231 6199->6209 6232 10007665 6199->6232 6204 10004bc1 _abort 28 API calls 6201->6204 6204->6199 6208 10007665 _abort 38 API calls 6208->6209 6235 1000782e 6209->6235 6210 1000780c 6211 10005af6 _abort 38 API calls 6210->6211 6210->6212 6211->6212 6259 1000bdc9 6212->6259 6263 1000499b 6213->6263 6219 10007527 6216->6219 6218 100055ad 6218->6179 6218->6186 6220 10007533 ___DestructExceptionObject 6219->6220 6225 10005671 RtlEnterCriticalSection 6220->6225 6222 10007541 6226 10007575 6222->6226 6224 10007568 _abort 6224->6218 6225->6222 6229 100056b9 RtlLeaveCriticalSection 6226->6229 6228 1000757f 6228->6224 6229->6228 6230->6198 6231->6201 6233 10005af6 _abort 38 API calls 6232->6233 6234 1000766a 6233->6234 6234->6208 6236 10007834 6235->6236 6238 100077fd 6235->6238 6262 100056b9 RtlLeaveCriticalSection 6236->6262 6238->6210 6238->6212 6239 10005af6 GetLastError 6238->6239 6240 10005b12 6239->6240 6241 10005b0c 6239->6241 6242 1000637b _abort 20 API calls 6240->6242 6245 10005b61 SetLastError 6240->6245 6243 10005e08 _abort 11 API calls 6241->6243 6244 10005b24 6242->6244 6243->6240 6246 10005b2c 6244->6246 6247 10005e5e _abort 11 API calls 6244->6247 6245->6210 6248 1000571e _free 20 API calls 6246->6248 6249 10005b41 6247->6249 6250 10005b32 6248->6250 6249->6246 6251 10005b48 6249->6251 6252 10005b6d SetLastError 6250->6252 6253 1000593c _abort 20 API calls 6251->6253 6254 100055a8 _abort 35 API calls 6252->6254 6255 10005b53 6253->6255 6256 10005b79 6254->6256 6257 1000571e _free 20 API calls 6255->6257 6258 10005b5a 6257->6258 6258->6245 6258->6252 6260 10002ada _ValidateLocalCookies 5 API calls 6259->6260 6261 1000bdd4 6260->6261 6261->6261 6262->6238 6264 100049a7 _abort 6263->6264 6265 100049bf 6264->6265 6285 10004af5 GetModuleHandleW 6264->6285 6294 10005671 RtlEnterCriticalSection 6265->6294 6269 10004a65 6302 10004aa5 6269->6302 6273 10004a3c 6274 10004a54 6273->6274 6298 10004669 6273->6298 6280 10004669 _abort 5 API calls 6274->6280 6275 100049c7 6275->6269 6275->6273 6295 1000527a 6275->6295 6276 10004a82 6305 10004ab4 6276->6305 6277 10004aae 6278 1000bdc9 _abort 5 API calls 6277->6278 6283 10004ab3 6278->6283 6280->6269 6286 100049b3 6285->6286 6286->6265 6287 10004b39 GetModuleHandleExW 6286->6287 6288 10004b63 GetProcAddress 6287->6288 6289 10004b78 6287->6289 6288->6289 6290 10004b95 6289->6290 6291 10004b8c FreeLibrary 6289->6291 6292 10002ada _ValidateLocalCookies 5 API calls 6290->6292 6291->6290 6293 10004b9f 6292->6293 6293->6265 6294->6275 6313 10005132 6295->6313 6299 10004698 6298->6299 6300 10002ada _ValidateLocalCookies 5 API calls 6299->6300 6301 100046c1 6300->6301 6301->6274 6335 100056b9 RtlLeaveCriticalSection 6302->6335 6304 10004a7e 6304->6276 6304->6277 6336 10006025 6305->6336 6308 10004ae2 6311 10004b39 _abort 8 API calls 6308->6311 6309 10004ac2 GetPEB 6309->6308 6310 10004ad2 GetCurrentProcess TerminateProcess 6309->6310 6310->6308 6312 10004aea ExitProcess 6311->6312 6316 100050e1 6313->6316 6315 10005156 6315->6273 6317 100050ed ___DestructExceptionObject 6316->6317 6324 10005671 RtlEnterCriticalSection 6317->6324 6319 100050fb 6325 1000515a 6319->6325 6323 10005119 _abort 6323->6315 6324->6319 6326 1000517a 6325->6326 6329 10005182 6325->6329 6327 10002ada _ValidateLocalCookies 5 API calls 6326->6327 6328 10005108 6327->6328 6331 10005126 6328->6331 6329->6326 6330 1000571e _free 20 API calls 6329->6330 6330->6326 6334 100056b9 RtlLeaveCriticalSection 6331->6334 6333 10005130 6333->6323 6334->6333 6335->6304 6337 1000604a 6336->6337 6341 10006040 6336->6341 6338 10005c45 _abort 5 API calls 6337->6338 6338->6341 6339 10002ada _ValidateLocalCookies 5 API calls 6340 10004abe 6339->6340 6340->6308 6340->6309 6341->6339 7207 10001f3f 7208 10001f4b ___DestructExceptionObject 7207->7208 7225 1000247c 7208->7225 7210 10001f52 7211 10002041 7210->7211 7212 10001f7c 7210->7212 7224 10001f57 ___scrt_is_nonwritable_in_current_image 7210->7224 7214 10002639 ___scrt_fastfail 4 API calls 7211->7214 7236 100023de 7212->7236 7215 10002048 7214->7215 7216 10001f8b __RTC_Initialize 7216->7224 7239 100022fc RtlInitializeSListHead 7216->7239 7218 10001f99 ___scrt_initialize_default_local_stdio_options 7240 100046c5 7218->7240 7222 10001fb8 7223 10004669 _abort 5 API calls 7222->7223 7222->7224 7223->7224 7226 10002485 7225->7226 7248 10002933 IsProcessorFeaturePresent 7226->7248 7230 10002496 7231 1000249a 7230->7231 7259 100053c8 7230->7259 7231->7210 7234 100024b1 7234->7210 7235 10003529 ___vcrt_uninitialize 8 API calls 7235->7231 7290 100024b5 7236->7290 7238 100023e5 7238->7216 7239->7218 7242 100046dc 7240->7242 7241 10002ada _ValidateLocalCookies 5 API calls 7243 10001fad 7241->7243 7242->7241 7243->7224 7244 100023b3 7243->7244 7245 100023b8 ___scrt_release_startup_lock 7244->7245 7246 10002933 ___isa_available_init IsProcessorFeaturePresent 7245->7246 7247 100023c1 7245->7247 7246->7247 7247->7222 7249 10002491 7248->7249 7250 100034ea 7249->7250 7251 100034ef ___vcrt_initialize_winapi_thunks 7250->7251 7262 10003936 7251->7262 7254 100034fd 7254->7230 7256 10003505 7257 10003510 7256->7257 7258 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7256->7258 7257->7230 7258->7254 7286 10007457 7259->7286 7263 1000393f 7262->7263 7265 10003968 7263->7265 7266 100034f9 7263->7266 7276 10003be0 7263->7276 7267 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7265->7267 7266->7254 7268 100038e8 7266->7268 7267->7266 7281 10003af1 7268->7281 7271 100038fd 7271->7256 7272 10003ba2 ___vcrt_FlsSetValue 6 API calls 7273 1000390b 7272->7273 7274 10003918 7273->7274 7275 1000391b ___vcrt_uninitialize_ptd 6 API calls 7273->7275 7274->7256 7275->7271 7277 10003a82 try_get_function 5 API calls 7276->7277 7278 10003bfa 7277->7278 7279 10003c18 InitializeCriticalSectionAndSpinCount 7278->7279 7280 10003c03 7278->7280 7279->7280 7280->7263 7282 10003a82 try_get_function 5 API calls 7281->7282 7283 10003b0b 7282->7283 7284 10003b24 TlsAlloc 7283->7284 7285 100038f2 7283->7285 7285->7271 7285->7272 7289 10007470 7286->7289 7287 10002ada _ValidateLocalCookies 5 API calls 7288 100024a3 7287->7288 7288->7234 7288->7235 7289->7287 7291 100024c4 7290->7291 7292 100024c8 7290->7292 7291->7238 7293 10002639 ___scrt_fastfail 4 API calls 7292->7293 7295 100024d5 ___scrt_release_startup_lock 7292->7295 7294 10002559 7293->7294 7295->7238 6342 10008640 6345 10008657 6342->6345 6346 10008665 6345->6346 6347 10008679 6345->6347 6348 10006368 _free 20 API calls 6346->6348 6349 10008681 6347->6349 6350 10008693 6347->6350 6352 1000866a 6348->6352 6351 10006368 _free 20 API calls 6349->6351 6357 10008652 6350->6357 6358 100054a7 6350->6358 6353 10008686 6351->6353 6355 100062ac _abort 26 API calls 6352->6355 6356 100062ac _abort 26 API calls 6353->6356 6355->6357 6356->6357 6359 100054c4 6358->6359 6360 100054ba 6358->6360 6359->6360 6361 10005af6 _abort 38 API calls 6359->6361 6360->6357 6362 100054e5 6361->6362 6366 10007a00 6362->6366 6367 10007a13 6366->6367 6368 100054fe 6366->6368 6367->6368 6374 10007f0f 6367->6374 6370 10007a2d 6368->6370 6371 10007a40 6370->6371 6372 10007a55 6370->6372 6371->6372 6509 10006d7e 6371->6509 6372->6360 6375 10007f1b ___DestructExceptionObject 6374->6375 6376 10005af6 _abort 38 API calls 6375->6376 6377 10007f24 6376->6377 6378 10007f72 _abort 6377->6378 6386 10005671 RtlEnterCriticalSection 6377->6386 6378->6368 6380 10007f42 6387 10007f86 6380->6387 6385 100055a8 _abort 38 API calls 6385->6378 6386->6380 6388 10007f56 6387->6388 6389 10007f94 _abort 6387->6389 6391 10007f75 6388->6391 6389->6388 6394 10007cc2 6389->6394 6508 100056b9 RtlLeaveCriticalSection 6391->6508 6393 10007f69 6393->6378 6393->6385 6395 10007d42 6394->6395 6398 10007cd8 6394->6398 6396 10007d90 6395->6396 6399 1000571e _free 20 API calls 6395->6399 6462 10007e35 6396->6462 6398->6395 6400 10007d0b 6398->6400 6405 1000571e _free 20 API calls 6398->6405 6401 10007d64 6399->6401 6402 10007d2d 6400->6402 6411 1000571e _free 20 API calls 6400->6411 6403 1000571e _free 20 API calls 6401->6403 6404 1000571e _free 20 API calls 6402->6404 6406 10007d77 6403->6406 6408 10007d37 6404->6408 6410 10007d00 6405->6410 6412 1000571e _free 20 API calls 6406->6412 6407 10007d9e 6409 10007dfe 6407->6409 6421 1000571e 20 API calls _free 6407->6421 6413 1000571e _free 20 API calls 6408->6413 6414 1000571e _free 20 API calls 6409->6414 6422 100090ba 6410->6422 6416 10007d22 6411->6416 6417 10007d85 6412->6417 6413->6395 6420 10007e04 6414->6420 6450 100091b8 6416->6450 6419 1000571e _free 20 API calls 6417->6419 6419->6396 6420->6388 6421->6407 6423 100090cb 6422->6423 6449 100091b4 6422->6449 6424 100090dc 6423->6424 6425 1000571e _free 20 API calls 6423->6425 6426 100090ee 6424->6426 6427 1000571e _free 20 API calls 6424->6427 6425->6424 6428 10009100 6426->6428 6430 1000571e _free 20 API calls 6426->6430 6427->6426 6429 10009112 6428->6429 6431 1000571e _free 20 API calls 6428->6431 6432 10009124 6429->6432 6433 1000571e _free 20 API calls 6429->6433 6430->6428 6431->6429 6434 10009136 6432->6434 6435 1000571e _free 20 API calls 6432->6435 6433->6432 6436 10009148 6434->6436 6437 1000571e _free 20 API calls 6434->6437 6435->6434 6438 1000571e _free 20 API calls 6436->6438 6439 1000915a 6436->6439 6437->6436 6438->6439 6440 1000916c 6439->6440 6441 1000571e _free 20 API calls 6439->6441 6442 1000917e 6440->6442 6443 1000571e _free 20 API calls 6440->6443 6441->6440 6444 10009190 6442->6444 6446 1000571e _free 20 API calls 6442->6446 6443->6442 6445 100091a2 6444->6445 6447 1000571e _free 20 API calls 6444->6447 6448 1000571e _free 20 API calls 6445->6448 6445->6449 6446->6444 6447->6445 6448->6449 6449->6400 6451 100091c5 6450->6451 6461 1000921d 6450->6461 6452 100091d5 6451->6452 6453 1000571e _free 20 API calls 6451->6453 6454 100091e7 6452->6454 6455 1000571e _free 20 API calls 6452->6455 6453->6452 6456 1000571e _free 20 API calls 6454->6456 6457 100091f9 6454->6457 6455->6454 6456->6457 6458 1000920b 6457->6458 6459 1000571e _free 20 API calls 6457->6459 6460 1000571e _free 20 API calls 6458->6460 6458->6461 6459->6458 6460->6461 6461->6402 6463 10007e60 6462->6463 6464 10007e42 6462->6464 6463->6407 6464->6463 6468 1000925d 6464->6468 6467 1000571e _free 20 API calls 6467->6463 6469 10007e5a 6468->6469 6470 1000926e 6468->6470 6469->6467 6504 10009221 6470->6504 6473 10009221 _abort 20 API calls 6474 10009281 6473->6474 6475 10009221 _abort 20 API calls 6474->6475 6476 1000928c 6475->6476 6477 10009221 _abort 20 API calls 6476->6477 6478 10009297 6477->6478 6479 10009221 _abort 20 API calls 6478->6479 6480 100092a5 6479->6480 6481 1000571e _free 20 API calls 6480->6481 6482 100092b0 6481->6482 6483 1000571e _free 20 API calls 6482->6483 6484 100092bb 6483->6484 6485 1000571e _free 20 API calls 6484->6485 6486 100092c6 6485->6486 6487 10009221 _abort 20 API calls 6486->6487 6488 100092d4 6487->6488 6489 10009221 _abort 20 API calls 6488->6489 6490 100092e2 6489->6490 6491 10009221 _abort 20 API calls 6490->6491 6492 100092f3 6491->6492 6493 10009221 _abort 20 API calls 6492->6493 6494 10009301 6493->6494 6495 10009221 _abort 20 API calls 6494->6495 6496 1000930f 6495->6496 6497 1000571e _free 20 API calls 6496->6497 6498 1000931a 6497->6498 6499 1000571e _free 20 API calls 6498->6499 6500 10009325 6499->6500 6501 1000571e _free 20 API calls 6500->6501 6502 10009330 6501->6502 6503 1000571e _free 20 API calls 6502->6503 6503->6469 6505 10009258 6504->6505 6506 10009248 6504->6506 6505->6473 6506->6505 6507 1000571e _free 20 API calls 6506->6507 6507->6506 6508->6393 6510 10006d8a ___DestructExceptionObject 6509->6510 6511 10005af6 _abort 38 API calls 6510->6511 6516 10006d94 6511->6516 6513 10006e18 _abort 6513->6372 6515 100055a8 _abort 38 API calls 6515->6516 6516->6513 6516->6515 6517 1000571e _free 20 API calls 6516->6517 6518 10005671 RtlEnterCriticalSection 6516->6518 6519 10006e0f 6516->6519 6517->6516 6518->6516 6522 100056b9 RtlLeaveCriticalSection 6519->6522 6521 10006e16 6521->6516 6522->6521 7296 1000af43 7297 1000af59 7296->7297 7298 1000af4d 7296->7298 7298->7297 7299 1000af52 CloseHandle 7298->7299 7299->7297 7300 1000a945 7302 1000a96d 7300->7302 7301 1000a9a5 7302->7301 7303 1000a997 7302->7303 7304 1000a99e 7302->7304 7309 1000aa17 7303->7309 7313 1000aa00 7304->7313 7310 1000aa20 7309->7310 7317 1000b19b 7310->7317 7314 1000aa20 7313->7314 7315 1000b19b __startOneArgErrorHandling 21 API calls 7314->7315 7316 1000a9a3 7315->7316 7318 1000b1da __startOneArgErrorHandling 7317->7318 7323 1000b25c __startOneArgErrorHandling 7318->7323 7327 1000b59e 7318->7327 7320 1000b286 7321 1000b8b2 __startOneArgErrorHandling 20 API calls 7320->7321 7322 1000b292 7320->7322 7321->7322 7325 10002ada _ValidateLocalCookies 5 API calls 7322->7325 7323->7320 7324 100078a3 __startOneArgErrorHandling 5 API calls 7323->7324 7324->7320 7326 1000a99c 7325->7326 7328 1000b5c1 __raise_exc RaiseException 7327->7328 7329 1000b5bc 7328->7329 7329->7323 7591 1000a1c6 IsProcessorFeaturePresent 7592 10007bc7 7593 10007bd3 ___DestructExceptionObject 7592->7593 7594 10007c0a _abort 7593->7594 7600 10005671 RtlEnterCriticalSection 7593->7600 7596 10007be7 7597 10007f86 20 API calls 7596->7597 7598 10007bf7 7597->7598 7601 10007c10 7598->7601 7600->7596 7604 100056b9 RtlLeaveCriticalSection 7601->7604 7603 10007c17 7603->7594 7604->7603 7330 10005348 7331 10003529 ___vcrt_uninitialize 8 API calls 7330->7331 7332 1000534f 7331->7332 7333 10007b48 7343 10008ebf 7333->7343 7337 10007b55 7356 1000907c 7337->7356 7340 10007b7f 7341 1000571e _free 20 API calls 7340->7341 7342 10007b8a 7341->7342 7360 10008ec8 7343->7360 7345 10007b50 7346 10008fdc 7345->7346 7347 10008fe8 ___DestructExceptionObject 7346->7347 7380 10005671 RtlEnterCriticalSection 7347->7380 7349 1000905e 7394 10009073 7349->7394 7350 10008ff3 7350->7349 7352 10009032 RtlDeleteCriticalSection 7350->7352 7381 1000a09c 7350->7381 7355 1000571e _free 20 API calls 7352->7355 7353 1000906a _abort 7353->7337 7355->7350 7357 10007b64 RtlDeleteCriticalSection 7356->7357 7358 10009092 7356->7358 7357->7337 7357->7340 7358->7357 7359 1000571e _free 20 API calls 7358->7359 7359->7357 7361 10008ed4 ___DestructExceptionObject 7360->7361 7370 10005671 RtlEnterCriticalSection 7361->7370 7363 10008f77 7375 10008f97 7363->7375 7367 10008f83 _abort 7367->7345 7368 10008e78 30 API calls 7369 10008ee3 7368->7369 7369->7363 7369->7368 7371 10007b94 RtlEnterCriticalSection 7369->7371 7372 10008f6d 7369->7372 7370->7369 7371->7369 7378 10007ba8 RtlLeaveCriticalSection 7372->7378 7374 10008f75 7374->7369 7379 100056b9 RtlLeaveCriticalSection 7375->7379 7377 10008f9e 7377->7367 7378->7374 7379->7377 7380->7350 7382 1000a0a8 ___DestructExceptionObject 7381->7382 7383 1000a0b9 7382->7383 7384 1000a0ce 7382->7384 7385 10006368 _free 20 API calls 7383->7385 7393 1000a0c9 _abort 7384->7393 7397 10007b94 RtlEnterCriticalSection 7384->7397 7387 1000a0be 7385->7387 7389 100062ac _abort 26 API calls 7387->7389 7388 1000a0ea 7398 1000a026 7388->7398 7389->7393 7391 1000a0f5 7414 1000a112 7391->7414 7393->7350 7489 100056b9 RtlLeaveCriticalSection 7394->7489 7396 1000907a 7396->7353 7397->7388 7399 1000a033 7398->7399 7400 1000a048 7398->7400 7401 10006368 _free 20 API calls 7399->7401 7406 1000a043 7400->7406 7417 10008e12 7400->7417 7402 1000a038 7401->7402 7404 100062ac _abort 26 API calls 7402->7404 7404->7406 7406->7391 7407 1000907c 20 API calls 7408 1000a064 7407->7408 7423 10007a5a 7408->7423 7410 1000a06a 7430 1000adce 7410->7430 7413 1000571e _free 20 API calls 7413->7406 7488 10007ba8 RtlLeaveCriticalSection 7414->7488 7416 1000a11a 7416->7393 7418 10008e26 7417->7418 7419 10008e2a 7417->7419 7418->7407 7419->7418 7420 10007a5a 26 API calls 7419->7420 7421 10008e4a 7420->7421 7445 10009a22 7421->7445 7424 10007a66 7423->7424 7425 10007a7b 7423->7425 7426 10006368 _free 20 API calls 7424->7426 7425->7410 7427 10007a6b 7426->7427 7428 100062ac _abort 26 API calls 7427->7428 7429 10007a76 7428->7429 7429->7410 7431 1000adf2 7430->7431 7432 1000addd 7430->7432 7433 1000ae2d 7431->7433 7437 1000ae19 7431->7437 7434 10006355 __dosmaperr 20 API calls 7432->7434 7435 10006355 __dosmaperr 20 API calls 7433->7435 7436 1000ade2 7434->7436 7438 1000ae32 7435->7438 7439 10006368 _free 20 API calls 7436->7439 7472 1000ada6 7437->7472 7441 10006368 _free 20 API calls 7438->7441 7442 1000a070 7439->7442 7443 1000ae3a 7441->7443 7442->7406 7442->7413 7444 100062ac _abort 26 API calls 7443->7444 7444->7442 7446 10009a2e ___DestructExceptionObject 7445->7446 7447 10009a36 7446->7447 7448 10009a4e 7446->7448 7449 10006355 __dosmaperr 20 API calls 7447->7449 7450 10009aec 7448->7450 7453 10009a83 7448->7453 7451 10009a3b 7449->7451 7452 10006355 __dosmaperr 20 API calls 7450->7452 7455 10006368 _free 20 API calls 7451->7455 7454 10009af1 7452->7454 7467 10008c7b RtlEnterCriticalSection 7453->7467 7457 10006368 _free 20 API calls 7454->7457 7462 10009a43 _abort 7455->7462 7459 10009af9 7457->7459 7458 10009a89 7461 10006368 _free 20 API calls 7458->7461 7465 10009ab5 7458->7465 7460 100062ac _abort 26 API calls 7459->7460 7460->7462 7463 10009aaa 7461->7463 7462->7418 7464 10006355 __dosmaperr 20 API calls 7463->7464 7464->7465 7468 10009ae4 7465->7468 7467->7458 7471 10008c9e RtlLeaveCriticalSection 7468->7471 7470 10009aea 7470->7462 7471->7470 7475 1000ad24 7472->7475 7474 1000adca 7474->7442 7476 1000ad30 ___DestructExceptionObject 7475->7476 7483 10008c7b RtlEnterCriticalSection 7476->7483 7478 1000ad3e 7479 1000ad65 7478->7479 7480 10006368 _free 20 API calls 7478->7480 7484 1000ad9a 7479->7484 7480->7479 7482 1000ad8d _abort 7482->7474 7483->7478 7487 10008c9e RtlLeaveCriticalSection 7484->7487 7486 1000ada4 7486->7482 7487->7486 7488->7416 7489->7396 6523 10002049 6524 10002055 ___DestructExceptionObject 6523->6524 6525 100020d3 6524->6525 6526 1000207d 6524->6526 6536 1000205e 6524->6536 6558 10002639 IsProcessorFeaturePresent 6525->6558 6537 1000244c 6526->6537 6529 100020da 6530 10002082 6546 10002308 6530->6546 6532 10002087 __RTC_Initialize 6549 100020c4 6532->6549 6534 1000209f 6552 1000260b 6534->6552 6538 10002451 ___scrt_release_startup_lock 6537->6538 6539 10002455 6538->6539 6542 10002461 6538->6542 6540 1000527a _abort 20 API calls 6539->6540 6541 1000245f 6540->6541 6541->6530 6543 1000246e 6542->6543 6544 1000499b _abort 28 API calls 6542->6544 6543->6530 6545 10004bbd 6544->6545 6545->6530 6562 100034c7 RtlInterlockedFlushSList 6546->6562 6548 10002312 6548->6532 6564 1000246f 6549->6564 6551 100020c9 ___scrt_release_startup_lock 6551->6534 6553 10002617 6552->6553 6554 1000262d 6553->6554 6605 100053ed 6553->6605 6554->6536 6559 1000264e ___scrt_fastfail 6558->6559 6560 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6559->6560 6561 10002744 ___scrt_fastfail 6560->6561 6561->6529 6563 100034d7 6562->6563 6563->6548 6569 100053ff 6564->6569 6576 10005c2b 6569->6576 6572 1000391b 6573 1000354d 6572->6573 6574 10003925 6572->6574 6573->6551 6587 10003b2c 6574->6587 6577 10002476 6576->6577 6578 10005c35 6576->6578 6577->6572 6580 10005db2 6578->6580 6581 10005c45 _abort 5 API calls 6580->6581 6582 10005dd9 6581->6582 6583 10005df1 TlsFree 6582->6583 6584 10005de5 6582->6584 6583->6584 6585 10002ada _ValidateLocalCookies 5 API calls 6584->6585 6586 10005e02 6585->6586 6586->6577 6592 10003a82 6587->6592 6589 10003b46 6590 10003b5e TlsFree 6589->6590 6591 10003b52 6589->6591 6590->6591 6591->6573 6593 10003aaa 6592->6593 6597 10003aa6 __crt_fast_encode_pointer 6592->6597 6593->6597 6598 100039be 6593->6598 6596 10003ac4 GetProcAddress 6596->6597 6597->6589 6603 100039cd try_get_first_available_module 6598->6603 6599 100039ea LoadLibraryExW 6600 10003a05 GetLastError 6599->6600 6599->6603 6600->6603 6601 10003a60 FreeLibrary 6601->6603 6602 10003a77 6602->6596 6602->6597 6603->6599 6603->6601 6603->6602 6604 10003a38 LoadLibraryExW 6603->6604 6604->6603 6616 100074da 6605->6616 6608 10003529 6609 10003532 6608->6609 6610 10003543 6608->6610 6611 1000391b ___vcrt_uninitialize_ptd 6 API calls 6609->6611 6610->6554 6612 10003537 6611->6612 6620 10003972 6612->6620 6619 100074f3 6616->6619 6617 10002ada _ValidateLocalCookies 5 API calls 6618 10002625 6617->6618 6618->6608 6619->6617 6621 1000353c 6620->6621 6622 1000397d 6620->6622 6624 10003c50 6621->6624 6623 10003987 RtlDeleteCriticalSection 6622->6623 6623->6621 6623->6623 6625 10003c59 6624->6625 6627 10003c7f 6624->6627 6626 10003c69 FreeLibrary 6625->6626 6625->6627 6626->6625 6627->6610 7605 10009bcd 7606 10009bd0 7605->7606 7607 10009bd7 7606->7607 7608 10009bf9 7606->7608 7609 10009ccd 7607->7609 7626 10009645 7607->7626 7614 10009bef 7608->7614 7631 10009492 GetConsoleCP 7608->7631 7612 10006368 _free 20 API calls 7609->7612 7613 10009cc0 7609->7613 7615 10009cf2 7612->7615 7620 10002ada _ValidateLocalCookies 5 API calls 7613->7620 7614->7609 7614->7613 7616 10009ca9 7614->7616 7617 10006355 __dosmaperr 20 API calls 7615->7617 7618 10009cb0 7616->7618 7619 10009cc4 7616->7619 7617->7613 7622 10006368 _free 20 API calls 7618->7622 7621 10006332 __dosmaperr 20 API calls 7619->7621 7623 10009d15 7620->7623 7621->7613 7624 10009cb5 7622->7624 7625 10006355 __dosmaperr 20 API calls 7624->7625 7625->7613 7629 1000969f 7626->7629 7630 1000966a 7626->7630 7627 100096a1 GetLastError 7627->7629 7628 1000a181 WriteConsoleW CreateFileW 7628->7630 7629->7614 7630->7627 7630->7628 7630->7629 7635 100094f5 __fassign 7631->7635 7640 10009607 7631->7640 7632 10002ada _ValidateLocalCookies 5 API calls 7633 10009641 7632->7633 7633->7614 7636 1000957b WideCharToMultiByte 7635->7636 7639 100095d2 WriteFile 7635->7639 7635->7640 7641 10007c19 7635->7641 7637 100095a1 WriteFile 7636->7637 7636->7640 7637->7635 7638 1000962a GetLastError 7637->7638 7638->7640 7639->7635 7639->7638 7640->7632 7642 10005af6 _abort 38 API calls 7641->7642 7643 10007c24 7642->7643 7644 10007a00 38 API calls 7643->7644 7645 10007c34 7644->7645 7645->7635 6628 1000724e GetProcessHeap 6629 1000284f 6630 10002882 std::exception::exception 27 API calls 6629->6630 6631 1000285d 6630->6631 6968 100036d0 6969 100036e2 6968->6969 6971 100036f0 @_EH4_CallFilterFunc@8 6968->6971 6970 10002ada _ValidateLocalCookies 5 API calls 6969->6970 6970->6971 7490 10005351 7491 10005360 7490->7491 7495 10005374 7490->7495 7493 1000571e _free 20 API calls 7491->7493 7491->7495 7492 1000571e _free 20 API calls 7494 10005386 7492->7494 7493->7495 7496 1000571e _free 20 API calls 7494->7496 7495->7492 7497 10005399 7496->7497 7498 1000571e _free 20 API calls 7497->7498 7499 100053aa 7498->7499 7500 1000571e _free 20 API calls 7499->7500 7501 100053bb 7500->7501 7502 10008d52 7503 10008d74 7502->7503 7504 10008d5f 7502->7504 7507 10006355 __dosmaperr 20 API calls 7503->7507 7509 10008d99 7503->7509 7505 10006355 __dosmaperr 20 API calls 7504->7505 7506 10008d64 7505->7506 7508 10006368 _free 20 API calls 7506->7508 7510 10008da4 7507->7510 7511 10008d6c 7508->7511 7512 10006368 _free 20 API calls 7510->7512 7513 10008dac 7512->7513 7514 100062ac _abort 26 API calls 7513->7514 7514->7511 6972 100066d5 6973 100066e1 6972->6973 6974 100066f2 6973->6974 6975 100066eb FindClose 6973->6975 6976 10002ada _ValidateLocalCookies 5 API calls 6974->6976 6975->6974 6977 10006701 6976->6977 7646 100073d5 7647 100073e1 ___DestructExceptionObject 7646->7647 7656 10005671 RtlEnterCriticalSection 7647->7656 7649 100073e8 7655 10007406 7649->7655 7657 10007269 GetStartupInfoW 7649->7657 7653 10007417 _abort 7666 10007422 7655->7666 7656->7649 7658 10007286 7657->7658 7659 10007318 7657->7659 7658->7659 7660 100072dd GetFileType 7658->7660 7661 1000731f 7659->7661 7660->7658 7663 10007326 7661->7663 7662 10007369 GetStdHandle 7662->7663 7663->7662 7664 100073d1 7663->7664 7665 1000737c GetFileType 7663->7665 7664->7655 7665->7663 7669 100056b9 RtlLeaveCriticalSection 7666->7669 7668 10007429 7668->7653 7669->7668 6978 10004ed7 6979 10006d60 51 API calls 6978->6979 6980 10004ee9 6979->6980 6989 10007153 GetEnvironmentStringsW 6980->6989 6983 10004ef4 6985 1000571e _free 20 API calls 6983->6985 6986 10004f29 6985->6986 6987 10004eff 6988 1000571e _free 20 API calls 6987->6988 6988->6983 6990 1000716a 6989->6990 7000 100071bd 6989->7000 6993 10007170 WideCharToMultiByte 6990->6993 6991 100071c6 FreeEnvironmentStringsW 6992 10004eee 6991->6992 6992->6983 7001 10004f2f 6992->7001 6994 1000718c 6993->6994 6993->7000 6995 100056d0 21 API calls 6994->6995 6996 10007192 6995->6996 6997 100071af 6996->6997 6998 10007199 WideCharToMultiByte 6996->6998 6999 1000571e _free 20 API calls 6997->6999 6998->6997 6999->7000 7000->6991 7000->6992 7002 10004f44 7001->7002 7003 1000637b _abort 20 API calls 7002->7003 7012 10004f6b 7003->7012 7004 10004fcf 7005 1000571e _free 20 API calls 7004->7005 7006 10004fe9 7005->7006 7006->6987 7007 1000637b _abort 20 API calls 7007->7012 7008 10004fd1 7010 10005000 20 API calls 7008->7010 7009 1000544d ___std_exception_copy 26 API calls 7009->7012 7011 10004fd7 7010->7011 7014 1000571e _free 20 API calls 7011->7014 7012->7004 7012->7007 7012->7008 7012->7009 7013 10004ff3 7012->7013 7016 1000571e _free 20 API calls 7012->7016 7015 100062bc _abort 11 API calls 7013->7015 7014->7004 7017 10004fff 7015->7017 7016->7012 6632 1000ae59 6633 1000ae5f 6632->6633 6638 10008cc1 6633->6638 6636 1000aedd 6637 10006332 __dosmaperr 20 API calls 6637->6636 6639 10008cd0 6638->6639 6640 10008d37 6638->6640 6639->6640 6646 10008cfa 6639->6646 6641 10006368 _free 20 API calls 6640->6641 6642 10008d3c 6641->6642 6643 10006355 __dosmaperr 20 API calls 6642->6643 6644 10008d27 6643->6644 6644->6636 6644->6637 6645 10008d21 SetStdHandle 6645->6644 6646->6644 6646->6645 5794 10001c5b 5795 10001c6b ___scrt_fastfail 5794->5795 5798 100012ee 5795->5798 5797 10001c87 5799 10001324 ___scrt_fastfail 5798->5799 5800 100013b7 GetEnvironmentVariableW 5799->5800 5824 100010f1 5800->5824 5803 100010f1 57 API calls 5804 10001465 5803->5804 5805 100010f1 57 API calls 5804->5805 5806 10001479 5805->5806 5807 100010f1 57 API calls 5806->5807 5808 1000148d 5807->5808 5809 100010f1 57 API calls 5808->5809 5810 100014a1 5809->5810 5811 100010f1 57 API calls 5810->5811 5812 100014b5 lstrlenW 5811->5812 5813 100014d2 5812->5813 5814 100014d9 lstrlenW 5812->5814 5813->5797 5815 100010f1 57 API calls 5814->5815 5816 10001501 lstrlenW lstrcatW 5815->5816 5817 100010f1 57 API calls 5816->5817 5818 10001539 lstrlenW lstrcatW 5817->5818 5819 100010f1 57 API calls 5818->5819 5820 1000156b lstrlenW lstrcatW 5819->5820 5821 100010f1 57 API calls 5820->5821 5822 1000159d lstrlenW lstrcatW 5821->5822 5823 100010f1 57 API calls 5822->5823 5823->5813 5825 10001118 ___scrt_fastfail 5824->5825 5826 10001129 lstrlenW 5825->5826 5837 10002c40 5826->5837 5829 10001177 lstrlenW FindFirstFileW 5831 100011a0 5829->5831 5832 100011e1 5829->5832 5830 10001168 lstrlenW 5830->5829 5833 100011c7 FindNextFileW 5831->5833 5834 100011aa 5831->5834 5832->5803 5833->5831 5836 100011da FindClose 5833->5836 5834->5833 5839 10001000 5834->5839 5836->5832 5838 10001148 lstrcatW lstrlenW 5837->5838 5838->5829 5838->5830 5840 10001022 ___scrt_fastfail 5839->5840 5841 100010af 5840->5841 5842 1000102f lstrcatW lstrlenW 5840->5842 5845 100010b5 lstrlenW 5841->5845 5855 100010ad 5841->5855 5843 1000105a lstrlenW 5842->5843 5844 1000106b lstrlenW 5842->5844 5843->5844 5856 10001e89 lstrlenW 5844->5856 5870 10001e16 5845->5870 5848 10001088 GetFileAttributesW 5851 1000109c 5848->5851 5848->5855 5849 100010ca 5850 10001e89 5 API calls 5849->5850 5849->5855 5852 100010df 5850->5852 5851->5855 5862 1000173a 5851->5862 5875 100011ea 5852->5875 5855->5834 5857 10002c40 ___scrt_fastfail 5856->5857 5858 10001ea7 lstrcatW lstrlenW 5857->5858 5859 10001ed1 lstrcatW 5858->5859 5860 10001ec2 5858->5860 5859->5848 5860->5859 5861 10001ec7 lstrlenW 5860->5861 5861->5859 5863 10001747 ___scrt_fastfail 5862->5863 5890 10001cca 5863->5890 5866 1000199f 5866->5855 5868 10001824 ___scrt_fastfail _strlen 5868->5866 5910 100015da 5868->5910 5871 10001e29 5870->5871 5874 10001e4c 5870->5874 5872 10001e2d lstrlenW 5871->5872 5871->5874 5873 10001e3f lstrlenW 5872->5873 5872->5874 5873->5874 5874->5849 5876 1000120e ___scrt_fastfail 5875->5876 5877 10001e89 5 API calls 5876->5877 5878 10001220 GetFileAttributesW 5877->5878 5879 10001235 5878->5879 5880 10001246 5878->5880 5879->5880 5883 1000173a 35 API calls 5879->5883 5881 10001e89 5 API calls 5880->5881 5882 10001258 5881->5882 5884 100010f1 56 API calls 5882->5884 5883->5880 5885 1000126d 5884->5885 5886 10001e89 5 API calls 5885->5886 5887 1000127f ___scrt_fastfail 5886->5887 5888 100010f1 56 API calls 5887->5888 5889 100012e6 5888->5889 5889->5855 5891 10001cf1 ___scrt_fastfail 5890->5891 5892 10001d0f CopyFileW CreateFileW 5891->5892 5893 10001d44 DeleteFileW 5892->5893 5894 10001d55 GetFileSize 5892->5894 5899 10001808 5893->5899 5895 10001ede 22 API calls 5894->5895 5896 10001d66 ReadFile 5895->5896 5897 10001d94 CloseHandle DeleteFileW 5896->5897 5898 10001d7d CloseHandle DeleteFileW 5896->5898 5897->5899 5898->5899 5899->5866 5900 10001ede 5899->5900 5902 1000222f 5900->5902 5903 1000224e 5902->5903 5906 10002250 5902->5906 5918 1000474f 5902->5918 5923 100047e5 5902->5923 5903->5868 5905 10002908 5907 100035d2 __CxxThrowException@8 RaiseException 5905->5907 5906->5905 5930 100035d2 5906->5930 5909 10002925 5907->5909 5909->5868 5911 1000160c _strcat _strlen 5910->5911 5912 1000163c lstrlenW 5911->5912 6018 10001c9d 5912->6018 5914 10001655 lstrcatW lstrlenW 5915 10001678 5914->5915 5916 10001693 ___scrt_fastfail 5915->5916 5917 1000167e lstrcatW 5915->5917 5916->5868 5917->5916 5933 10004793 5918->5933 5920 10004765 5939 10002ada 5920->5939 5922 1000478f 5922->5902 5928 100056d0 _abort 5923->5928 5924 1000570e 5952 10006368 5924->5952 5926 100056f9 RtlAllocateHeap 5927 1000570c 5926->5927 5926->5928 5927->5902 5928->5924 5928->5926 5929 1000474f _abort 7 API calls 5928->5929 5929->5928 5932 100035f2 RaiseException 5930->5932 5932->5905 5934 1000479f ___DestructExceptionObject 5933->5934 5946 10005671 RtlEnterCriticalSection 5934->5946 5936 100047aa 5947 100047dc 5936->5947 5938 100047d1 _abort 5938->5920 5940 10002ae3 5939->5940 5941 10002ae5 IsProcessorFeaturePresent 5939->5941 5940->5922 5943 10002b58 5941->5943 5951 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5943->5951 5945 10002c3b 5945->5922 5946->5936 5950 100056b9 RtlLeaveCriticalSection 5947->5950 5949 100047e3 5949->5938 5950->5949 5951->5945 5955 10005b7a GetLastError 5952->5955 5956 10005b93 5955->5956 5957 10005b99 5955->5957 5974 10005e08 5956->5974 5962 10005bf0 SetLastError 5957->5962 5981 1000637b 5957->5981 5961 10005bb3 5988 1000571e 5961->5988 5964 10005bf9 5962->5964 5964->5927 5967 10005bb9 5969 10005be7 SetLastError 5967->5969 5968 10005bcf 6001 1000593c 5968->6001 5969->5964 5972 1000571e _free 17 API calls 5973 10005be0 5972->5973 5973->5962 5973->5969 6006 10005c45 5974->6006 5976 10005e2f 5977 10005e47 TlsGetValue 5976->5977 5979 10005e3b 5976->5979 5977->5979 5978 10002ada _ValidateLocalCookies 5 API calls 5980 10005e58 5978->5980 5979->5978 5980->5957 5982 10006388 _abort 5981->5982 5983 100063c8 5982->5983 5984 100063b3 RtlAllocateHeap 5982->5984 5987 1000474f _abort 7 API calls 5982->5987 5985 10006368 _free 19 API calls 5983->5985 5984->5982 5986 10005bab 5984->5986 5985->5986 5986->5961 5994 10005e5e 5986->5994 5987->5982 5989 10005752 _free 5988->5989 5990 10005729 HeapFree 5988->5990 5989->5967 5990->5989 5991 1000573e 5990->5991 5992 10006368 _free 18 API calls 5991->5992 5993 10005744 GetLastError 5992->5993 5993->5989 5995 10005c45 _abort 5 API calls 5994->5995 5996 10005e85 5995->5996 5997 10005ea0 TlsSetValue 5996->5997 5998 10005e94 5996->5998 5997->5998 5999 10002ada _ValidateLocalCookies 5 API calls 5998->5999 6000 10005bc8 5999->6000 6000->5961 6000->5968 6012 10005914 6001->6012 6010 10005c71 6006->6010 6011 10005c75 __crt_fast_encode_pointer 6006->6011 6007 10005c95 6009 10005ca1 GetProcAddress 6007->6009 6007->6011 6008 10005ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6008->6010 6009->6011 6010->6007 6010->6008 6010->6011 6011->5976 6013 10005854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6012->6013 6014 10005938 6013->6014 6015 100058c4 6014->6015 6016 10005758 _abort 20 API calls 6015->6016 6017 100058e8 6016->6017 6017->5972 6019 10001ca6 _strlen 6018->6019 6019->5914 7018 100020db 7019 100020e7 ___DestructExceptionObject 7018->7019 7020 10002110 dllmain_raw 7019->7020 7024 1000210b 7019->7024 7030 100020f6 7019->7030 7021 1000212a 7020->7021 7020->7030 7031 10001eec 7021->7031 7023 10002177 7025 10001eec 31 API calls 7023->7025 7023->7030 7024->7023 7027 10001eec 31 API calls 7024->7027 7024->7030 7026 1000218a 7025->7026 7028 10002193 dllmain_raw 7026->7028 7026->7030 7029 1000216d dllmain_raw 7027->7029 7028->7030 7029->7023 7032 10001ef7 7031->7032 7033 10001f2a dllmain_crt_process_detach 7031->7033 7034 10001f1c dllmain_crt_process_attach 7032->7034 7035 10001efc 7032->7035 7039 10001f06 7033->7039 7034->7039 7036 10001f12 7035->7036 7037 10001f01 7035->7037 7046 100023ec 7036->7046 7037->7039 7041 1000240b 7037->7041 7039->7024 7054 100053e5 7041->7054 7152 10003513 7046->7152 7049 100023f5 7049->7039 7052 10002408 7052->7039 7053 1000351e 7 API calls 7053->7049 7060 10005aca 7054->7060 7057 1000351e 7136 10003820 7057->7136 7059 10002415 7059->7039 7061 10005ad4 7060->7061 7062 10002410 7060->7062 7063 10005e08 _abort 11 API calls 7061->7063 7062->7057 7064 10005adb 7063->7064 7064->7062 7065 10005e5e _abort 11 API calls 7064->7065 7066 10005aee 7065->7066 7068 100059b5 7066->7068 7069 100059c0 7068->7069 7070 100059d0 7068->7070 7074 100059d6 7069->7074 7070->7062 7073 1000571e _free 20 API calls 7073->7070 7075 100059ef 7074->7075 7076 100059e9 7074->7076 7078 1000571e _free 20 API calls 7075->7078 7077 1000571e _free 20 API calls 7076->7077 7077->7075 7079 100059fb 7078->7079 7080 1000571e _free 20 API calls 7079->7080 7081 10005a06 7080->7081 7082 1000571e _free 20 API calls 7081->7082 7083 10005a11 7082->7083 7084 1000571e _free 20 API calls 7083->7084 7085 10005a1c 7084->7085 7086 1000571e _free 20 API calls 7085->7086 7087 10005a27 7086->7087 7088 1000571e _free 20 API calls 7087->7088 7089 10005a32 7088->7089 7090 1000571e _free 20 API calls 7089->7090 7091 10005a3d 7090->7091 7092 1000571e _free 20 API calls 7091->7092 7093 10005a48 7092->7093 7094 1000571e _free 20 API calls 7093->7094 7095 10005a56 7094->7095 7100 1000589c 7095->7100 7106 100057a8 7100->7106 7102 100058c0 7103 100058ec 7102->7103 7119 10005809 7103->7119 7105 10005910 7105->7073 7107 100057b4 ___DestructExceptionObject 7106->7107 7114 10005671 RtlEnterCriticalSection 7107->7114 7110 100057f5 _abort 7110->7102 7111 100057be 7112 1000571e _free 20 API calls 7111->7112 7113 100057e8 7111->7113 7112->7113 7115 100057fd 7113->7115 7114->7111 7118 100056b9 RtlLeaveCriticalSection 7115->7118 7117 10005807 7117->7110 7118->7117 7120 10005815 ___DestructExceptionObject 7119->7120 7127 10005671 RtlEnterCriticalSection 7120->7127 7122 1000581f 7128 10005a7f 7122->7128 7124 10005832 7132 10005848 7124->7132 7126 10005840 _abort 7126->7105 7127->7122 7129 10005a8e _abort 7128->7129 7130 10005ab5 _abort 7128->7130 7129->7130 7131 10007cc2 _abort 20 API calls 7129->7131 7130->7124 7131->7130 7135 100056b9 RtlLeaveCriticalSection 7132->7135 7134 10005852 7134->7126 7135->7134 7137 1000382d 7136->7137 7141 1000384b ___vcrt_freefls@4 7136->7141 7138 1000383b 7137->7138 7142 10003b67 7137->7142 7147 10003ba2 7138->7147 7141->7059 7143 10003a82 try_get_function 5 API calls 7142->7143 7144 10003b81 7143->7144 7145 10003b99 TlsGetValue 7144->7145 7146 10003b8d 7144->7146 7145->7146 7146->7138 7148 10003a82 try_get_function 5 API calls 7147->7148 7149 10003bbc 7148->7149 7150 10003bd7 TlsSetValue 7149->7150 7151 10003bcb 7149->7151 7150->7151 7151->7141 7158 10003856 7152->7158 7154 100023f1 7154->7049 7155 100053da 7154->7155 7156 10005b7a _abort 20 API calls 7155->7156 7157 100023fd 7156->7157 7157->7052 7157->7053 7159 10003862 GetLastError 7158->7159 7160 1000385f 7158->7160 7161 10003b67 ___vcrt_FlsGetValue 6 API calls 7159->7161 7160->7154 7162 10003877 7161->7162 7163 100038dc SetLastError 7162->7163 7164 10003ba2 ___vcrt_FlsSetValue 6 API calls 7162->7164 7169 10003896 7162->7169 7163->7154 7165 10003890 7164->7165 7166 10003ba2 ___vcrt_FlsSetValue 6 API calls 7165->7166 7168 100038b8 7165->7168 7165->7169 7166->7168 7167 10003ba2 ___vcrt_FlsSetValue 6 API calls 7167->7169 7168->7167 7168->7169 7169->7163 7670 10004bdd 7671 10004c08 7670->7671 7672 10004bec 7670->7672 7674 10006d60 51 API calls 7671->7674 7672->7671 7673 10004bf2 7672->7673 7675 10006368 _free 20 API calls 7673->7675 7676 10004c0f GetModuleFileNameA 7674->7676 7677 10004bf7 7675->7677 7678 10004c33 7676->7678 7679 100062ac _abort 26 API calls 7677->7679 7693 10004d01 7678->7693 7680 10004c01 7679->7680 7685 10004c72 7688 10004d01 38 API calls 7685->7688 7686 10004c66 7687 10006368 _free 20 API calls 7686->7687 7692 10004c6b 7687->7692 7690 10004c88 7688->7690 7689 1000571e _free 20 API calls 7689->7680 7691 1000571e _free 20 API calls 7690->7691 7690->7692 7691->7692 7692->7689 7695 10004d26 7693->7695 7697 10004d86 7695->7697 7705 100070eb 7695->7705 7696 10004c50 7699 10004e76 7696->7699 7697->7696 7698 100070eb 38 API calls 7697->7698 7698->7697 7700 10004e8b 7699->7700 7701 10004c5d 7699->7701 7700->7701 7702 1000637b _abort 20 API calls 7700->7702 7701->7685 7701->7686 7703 10004eb9 7702->7703 7704 1000571e _free 20 API calls 7703->7704 7704->7701 7708 10007092 7705->7708 7709 100054a7 38 API calls 7708->7709 7710 100070a6 7709->7710 7710->7695 6647 10007260 GetStartupInfoW 6648 10007318 6647->6648 6649 10007286 6647->6649 6649->6648 6650 100072dd GetFileType 6649->6650 6650->6649 7711 1000a1e0 7714 1000a1fe 7711->7714 7713 1000a1f6 7718 1000a203 7714->7718 7715 1000aa53 21 API calls 7717 1000a42f 7715->7717 7716 1000a298 7716->7713 7717->7713 7718->7715 7718->7716 7515 10009d61 7516 10009d81 7515->7516 7519 10009db8 7516->7519 7518 10009dab 7520 10009dbf 7519->7520 7521 10009e20 7520->7521 7522 10009ddf 7520->7522 7523 1000aa17 21 API calls 7521->7523 7524 1000a90e 7521->7524 7522->7524 7526 1000aa17 21 API calls 7522->7526 7525 10009e6e 7523->7525 7524->7518 7525->7518 7527 1000a93e 7526->7527 7527->7518 7528 10006761 7529 100066e6 7528->7529 7530 1000677f 7528->7530 7531 100066f2 7529->7531 7532 100066eb FindClose 7529->7532 7536 100081a0 7530->7536 7534 10002ada _ValidateLocalCookies 5 API calls 7531->7534 7532->7531 7535 10006701 7534->7535 7537 100081d9 7536->7537 7538 100081dd 7537->7538 7549 10008205 7537->7549 7539 10006368 _free 20 API calls 7538->7539 7540 100081e2 7539->7540 7542 100062ac _abort 26 API calls 7540->7542 7541 10008529 7543 10002ada _ValidateLocalCookies 5 API calls 7541->7543 7544 100081ed 7542->7544 7545 10008536 7543->7545 7546 10002ada _ValidateLocalCookies 5 API calls 7544->7546 7545->7529 7547 100081f9 7546->7547 7547->7529 7549->7541 7550 100080c0 7549->7550 7553 100080db 7550->7553 7551 10002ada _ValidateLocalCookies 5 API calls 7552 10008152 7551->7552 7552->7549 7553->7551 6651 10006664 6652 10006675 6651->6652 6653 10002ada _ValidateLocalCookies 5 API calls 6652->6653 6654 10006701 6653->6654 6655 1000ac6b 6656 1000ac84 __startOneArgErrorHandling 6655->6656 6657 1000acad __startOneArgErrorHandling 6656->6657 6659 1000b2f0 6656->6659 6660 1000b329 __startOneArgErrorHandling 6659->6660 6662 1000b350 __startOneArgErrorHandling 6660->6662 6670 1000b5c1 6660->6670 6663 1000b393 6662->6663 6664 1000b36e 6662->6664 6683 1000b8b2 6663->6683 6674 1000b8e1 6664->6674 6667 1000b38e __startOneArgErrorHandling 6668 10002ada _ValidateLocalCookies 5 API calls 6667->6668 6669 1000b3b7 6668->6669 6669->6657 6671 1000b5ec __raise_exc 6670->6671 6672 1000b7e5 RaiseException 6671->6672 6673 1000b7fd 6672->6673 6673->6662 6675 1000b8f0 6674->6675 6676 1000b964 __startOneArgErrorHandling 6675->6676 6677 1000b90f __startOneArgErrorHandling 6675->6677 6678 1000b8b2 __startOneArgErrorHandling 20 API calls 6676->6678 6690 100078a3 6677->6690 6682 1000b95d 6678->6682 6681 1000b8b2 __startOneArgErrorHandling 20 API calls 6681->6682 6682->6667 6684 1000b8d4 6683->6684 6685 1000b8bf 6683->6685 6686 10006368 _free 20 API calls 6684->6686 6687 1000b8d9 6685->6687 6688 10006368 _free 20 API calls 6685->6688 6686->6687 6687->6667 6689 1000b8cc 6688->6689 6689->6667 6692 100078cb 6690->6692 6691 10002ada _ValidateLocalCookies 5 API calls 6693 100078e8 6691->6693 6692->6691 6693->6681 6693->6682 7719 100085eb 7723 1000853a 7719->7723 7720 1000854f 7721 10008554 7720->7721 7722 10006368 _free 20 API calls 7720->7722 7724 1000857a 7722->7724 7723->7720 7723->7721 7726 1000858b 7723->7726 7725 100062ac _abort 26 API calls 7724->7725 7725->7721 7726->7721 7727 10006368 _free 20 API calls 7726->7727 7727->7724 7728 100065ec 7733 100067bf 7728->7733 7731 1000571e _free 20 API calls 7732 100065ff 7731->7732 7738 100067f4 7733->7738 7736 100065f6 7736->7731 7737 1000571e _free 20 API calls 7737->7736 7739 10006806 7738->7739 7748 100067cd 7738->7748 7740 10006836 7739->7740 7741 1000680b 7739->7741 7740->7748 7749 100071d6 7740->7749 7742 1000637b _abort 20 API calls 7741->7742 7743 10006814 7742->7743 7745 1000571e _free 20 API calls 7743->7745 7745->7748 7746 10006851 7747 1000571e _free 20 API calls 7746->7747 7747->7748 7748->7736 7748->7737 7750 100071e1 7749->7750 7751 10007209 7750->7751 7752 100071fa 7750->7752 7753 10007218 7751->7753 7758 10008a98 7751->7758 7754 10006368 _free 20 API calls 7752->7754 7765 10008acb 7753->7765 7756 100071ff ___scrt_fastfail 7754->7756 7756->7746 7759 10008aa3 7758->7759 7760 10008ab8 RtlSizeHeap 7758->7760 7761 10006368 _free 20 API calls 7759->7761 7760->7753 7762 10008aa8 7761->7762 7763 100062ac _abort 26 API calls 7762->7763 7764 10008ab3 7763->7764 7764->7753 7766 10008ae3 7765->7766 7767 10008ad8 7765->7767 7768 10008aeb 7766->7768 7775 10008af4 _abort 7766->7775 7769 100056d0 21 API calls 7767->7769 7770 1000571e _free 20 API calls 7768->7770 7773 10008ae0 7769->7773 7770->7773 7771 10008af9 7774 10006368 _free 20 API calls 7771->7774 7772 10008b1e RtlReAllocateHeap 7772->7773 7772->7775 7773->7756 7774->7773 7775->7771 7775->7772 7776 1000474f _abort 7 API calls 7775->7776 7776->7775 6694 10008c6e 6697 100056b9 RtlLeaveCriticalSection 6694->6697 6696 10008c79 6697->6696 6698 1000506f 6699 10005081 6698->6699 6701 10005087 6698->6701 6702 10005000 6699->6702 6703 1000502a 6702->6703 6704 1000500d 6702->6704 6703->6701 6705 10005024 6704->6705 6706 1000571e _free 20 API calls 6704->6706 6707 1000571e _free 20 API calls 6705->6707 6706->6704 6707->6703 7554 10003370 7565 10003330 7554->7565 7566 10003342 7565->7566 7567 1000334f 7565->7567 7568 10002ada _ValidateLocalCookies 5 API calls 7566->7568 7568->7567 6708 10009e71 6709 10009e95 6708->6709 6710 10009ee6 6709->6710 6713 10009f71 __startOneArgErrorHandling 6709->6713 6714 10009ef8 6710->6714 6716 1000aa53 6710->6716 6712 1000acad __startOneArgErrorHandling 6713->6712 6715 1000b2f0 21 API calls 6713->6715 6715->6712 6717 1000aa70 RtlDecodePointer 6716->6717 6719 1000aa80 6716->6719 6717->6719 6718 10002ada _ValidateLocalCookies 5 API calls 6721 1000ac67 6718->6721 6720 1000ab0d 6719->6720 6722 1000ab02 6719->6722 6724 1000aab7 6719->6724 6720->6722 6723 10006368 _free 20 API calls 6720->6723 6721->6714 6722->6718 6723->6722 6724->6722 6725 10006368 _free 20 API calls 6724->6725 6725->6722 6726 10008c72 6727 10008c79 6726->6727 6729 100056b9 RtlLeaveCriticalSection 6726->6729 6729->6727 7781 10005bff 7789 10005d5c 7781->7789 7784 10005b7a _abort 20 API calls 7785 10005c1b 7784->7785 7786 10005c28 7785->7786 7787 10005c2b 11 API calls 7785->7787 7788 10005c13 7787->7788 7790 10005c45 _abort 5 API calls 7789->7790 7791 10005d83 7790->7791 7792 10005d9b TlsAlloc 7791->7792 7793 10005d8c 7791->7793 7792->7793 7794 10002ada _ValidateLocalCookies 5 API calls 7793->7794 7795 10005c09 7794->7795 7795->7784 7795->7788

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1083526818-0
                                                                                                                                                                            • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                            • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                                                                            • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                            • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                                                                            Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                              • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                              • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                              • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                                                                              • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                            • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                            • API String ID: 672098462-2938083778
                                                                                                                                                                            • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                            • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                                                                            • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                            • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                                                                                            Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                                              • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2099061454-0
                                                                                                                                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                            • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                            • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                                                                            Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 94 1000c7fa-1000c7fe 91->94 95 1000c85b-1000c85e 91->95 96 1000c870 92->96 97 1000c866-1000c86b 92->97 99 1000c852-1000c854 93->99 100 1000c856-1000c85a 93->100 102 1000c865 94->102 103 1000c800-1000c80b GetProcAddress 94->103 98 1000c85f-1000c860 GetProcAddress 95->98 96->90 97->92 98->102 99->98 100->95 102->97 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                                              • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                              • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2099061454-0
                                                                                                                                                                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                            • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                                                                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                            • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                                                                            Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 122 1000c85f-1000c865 GetProcAddress 119->122 120->122 124 1000c866-1000c86e 122->124 126 1000c870 124->126 126->117
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                                                            • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                            • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2152742572-0
                                                                                                                                                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                            • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                                                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                            • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 152 10001982-10001985 150->152 153 1000184b-1000184e 150->153 151->146 157 10001995-10001999 152->157 158 10001987 152->158 153->152 155 10001854-10001881 call 100044b0 * 2 call 10001db7 153->155 170 10001887-1000189f call 100044b0 call 10001db7 155->170 171 1000193d-10001943 155->171 157->150 157->151 161 1000198a-1000198d call 10002c40 158->161 165 10001992 161->165 165->157 170->171 187 100018a5-100018a8 170->187 172 10001945-10001947 171->172 173 1000197e-10001980 171->173 172->173 175 10001949-1000194b 172->175 173->161 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->165 180 10001951-10001953 178->180 181 10001955-10001957 178->181 180->177 180->181 184 10001959-1000195b 181->184 185 1000195d-1000195f 181->185 184->177 184->185 185->173 185->177 188 100018c4-100018dc call 100044b0 call 10001db7 187->188 189 100018aa-100018c2 call 100044b0 call 10001db7 187->189 188->157 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->157
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                                                                              • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                                                                              • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                                                            • _strlen.LIBCMT ref: 10001855
                                                                                                                                                                            • _strlen.LIBCMT ref: 10001869
                                                                                                                                                                            • _strlen.LIBCMT ref: 1000188B
                                                                                                                                                                            • _strlen.LIBCMT ref: 100018AE
                                                                                                                                                                            • _strlen.LIBCMT ref: 100018C8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _strlen$File$CopyCreateDelete
                                                                                                                                                                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                                            • API String ID: 3296212668-3023110444
                                                                                                                                                                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                            • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                                                                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                            • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                                                                            Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _strlen
                                                                                                                                                                            • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                                            • API String ID: 4218353326-230879103
                                                                                                                                                                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                            • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                                                                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                            • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                                                                            Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 292 10007cfa-10007d0c call 1000571e call 100090ba 288->292 295 10007d17-10007d1a 289->295 296 10007d2f-10007d43 call 1000571e * 2 289->296 293 10007dd4-10007dd8 290->293 294 10007db7-10007dbb 290->294 292->289 304 10007df0-10007dfc 293->304 305 10007dda-10007ddf 293->305 300 10007dd1 294->300 301 10007dbd-10007dc0 294->301 295->296 302 10007d1c-10007d2e call 1000571e call 100091b8 295->302 296->277 300->293 301->300 311 10007dc2-10007dd0 call 1000571e * 2 301->311 302->296 304->290 309 10007dfe-10007e0b call 1000571e 304->309 306 10007de1-10007de4 305->306 307 10007ded 305->307 306->307 314 10007de6-10007dec call 1000571e 306->314 307->304 311->300 314->307
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                                                                            • _free.LIBCMT ref: 10007CFB
                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                            • _free.LIBCMT ref: 10007D1D
                                                                                                                                                                            • _free.LIBCMT ref: 10007D32
                                                                                                                                                                            • _free.LIBCMT ref: 10007D3D
                                                                                                                                                                            • _free.LIBCMT ref: 10007D5F
                                                                                                                                                                            • _free.LIBCMT ref: 10007D72
                                                                                                                                                                            • _free.LIBCMT ref: 10007D80
                                                                                                                                                                            • _free.LIBCMT ref: 10007D8B
                                                                                                                                                                            • _free.LIBCMT ref: 10007DC3
                                                                                                                                                                            • _free.LIBCMT ref: 10007DCA
                                                                                                                                                                            • _free.LIBCMT ref: 10007DE7
                                                                                                                                                                            • _free.LIBCMT ref: 10007DFF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                                                            • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                            • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                                                                            • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                            • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                                                                            Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 100059EA
                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                            • _free.LIBCMT ref: 100059F6
                                                                                                                                                                            • _free.LIBCMT ref: 10005A01
                                                                                                                                                                            • _free.LIBCMT ref: 10005A0C
                                                                                                                                                                            • _free.LIBCMT ref: 10005A17
                                                                                                                                                                            • _free.LIBCMT ref: 10005A22
                                                                                                                                                                            • _free.LIBCMT ref: 10005A2D
                                                                                                                                                                            • _free.LIBCMT ref: 10005A38
                                                                                                                                                                            • _free.LIBCMT ref: 10005A43
                                                                                                                                                                            • _free.LIBCMT ref: 10005A51
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                            • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                                                                            • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                            • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                                                                            Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1454806937-0
                                                                                                                                                                            • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                            • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                                                                            • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                            • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                                                                            Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 380 10009513-1000952a 379->380 381 1000952c-1000953d call 10007c19 379->381 384 10009566-10009575 call 100079e6 380->384 389 10009563-10009565 381->389 390 1000953f-10009542 381->390 384->378 391 1000957b-1000959b WideCharToMultiByte 384->391 389->384 392 10009548-1000955a call 100079e6 390->392 393 10009609-10009628 390->393 391->378 394 100095a1-100095b7 WriteFile 391->394 392->378 400 10009560-10009561 392->400 393->378 396 100095b9-100095ca 394->396 397 1000962a-10009630 GetLastError 394->397 396->378 399 100095cc-100095d0 396->399 397->378 401 100095d2-100095f0 WriteFile 399->401 402 100095fe-10009601 399->402 400->391 401->397 403 100095f2-100095f6 401->403 402->379 404 10009607 402->404 403->378 405 100095f8-100095fb 403->405 404->378 405->402
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                                                                            • __fassign.LIBCMT ref: 1000954F
                                                                                                                                                                            • __fassign.LIBCMT ref: 1000956A
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 100095AF
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 100095E8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1324828854-0
                                                                                                                                                                            • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                            • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                                                                            • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                            • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                                                                            Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 414 1000341b-10003428 call 10003790 411->414 412->413 415 100033cb 412->415 418 1000342d-10003436 call 10003330 414->418 417 100033d0-100033e7 415->417 419 100033e9-100033f7 call 10003740 417->419 420 100033fd 417->420 418->413 428 100033f9 419->428 429 1000340d-10003414 419->429 421 10003400-10003405 420->421 421->417 424 10003407-10003409 421->424 424->413 427 1000340b 424->427 427->418 430 10003443-1000344c 428->430 431 100033fb 428->431 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->421 439 10003498-100034a7 call 10003790 432->439 440 100034aa-100034c6 call 10003330 call 10003758 432->440 433->432 435 10003457-10003466 call 1000bbe0 433->435 441 10003483 435->441 442 10003468-10003480 435->442 439->440 441->432 442->441
                                                                                                                                                                            APIs
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                            • String ID: csm
                                                                                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                                                                                            • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                            • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                                                                            • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                            • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                                                                            Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                                                                            • _free.LIBCMT ref: 100092AB
                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                            • _free.LIBCMT ref: 100092B6
                                                                                                                                                                            • _free.LIBCMT ref: 100092C1
                                                                                                                                                                            • _free.LIBCMT ref: 10009315
                                                                                                                                                                            • _free.LIBCMT ref: 10009320
                                                                                                                                                                            • _free.LIBCMT ref: 1000932B
                                                                                                                                                                            • _free.LIBCMT ref: 10009336
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                            • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                                                                            Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 492 10008862-10008886 MultiByteToWideChar 489->492 493 10008857-1000885f 489->493 490->489 497 1000884e 490->497 495 10008a19-10008a2c call 10002ada 492->495 496 1000888c-10008898 492->496 493->492 498 1000889a-100088ab 496->498 499 100088ec 496->499 497->489 502 100088ca-100088db call 100056d0 498->502 503 100088ad-100088bc call 1000bf20 498->503 501 100088ee-100088f0 499->501 505 100088f6-10008909 MultiByteToWideChar 501->505 506 10008a0e 501->506 502->506 516 100088e1 502->516 503->506 515 100088c2-100088c8 503->515 505->506 509 1000890f-1000892a call 10005f19 505->509 510 10008a10-10008a17 call 10008801 506->510 509->506 520 10008930-10008937 509->520 510->495 517 100088e7-100088ea 515->517 516->517 517->501 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 524 100089c9 521->524 525 1000897f-10008990 521->525 522->510 523 10008944-10008946 522->523 523->506 528 1000894c-10008966 call 10005f19 523->528 529 100089cb-100089cd 524->529 526 10008992-100089a1 call 1000bf20 525->526 527 100089ab-100089bc call 100056d0 525->527 533 10008a07-10008a0d call 10008801 526->533 540 100089a3-100089a9 526->540 527->533 542 100089be 527->542 528->510 543 1000896c 528->543 529->533 534 100089cf-100089e8 call 10005f19 529->534 533->506 534->533 546 100089ea-100089f1 534->546 545 100089c4-100089c7 540->545 542->545 543->506 545->529 547 100089f3-100089f4 546->547 548 10008a2d-10008a33 546->548 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->533 550 10008a35-10008a3c call 10008801 549->550 550->510
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                                                                            • __freea.LIBCMT ref: 10008A08
                                                                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                            • __freea.LIBCMT ref: 10008A11
                                                                                                                                                                            • __freea.LIBCMT ref: 10008A36
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1414292761-0
                                                                                                                                                                            • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                            • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                                                                            • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                            • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                                                                            Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _strlen.LIBCMT ref: 10001607
                                                                                                                                                                            • _strcat.LIBCMT ref: 1000161D
                                                                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                                                                            • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1922816806-0
                                                                                                                                                                            • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                            • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                                                                            • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                            • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                                                                            Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3594823470-0
                                                                                                                                                                            • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                            • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                                                                            • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                            • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                                                                            Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                            • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                            • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                                                                            • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                                                                            Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                                                            • _free.LIBCMT ref: 10005B2D
                                                                                                                                                                            • _free.LIBCMT ref: 10005B55
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                                                            • _abort.LIBCMT ref: 10005B74
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3160817290-0
                                                                                                                                                                            • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                            • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                                                                            • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                            • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                                                                            Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                            • API String ID: 4036392271-1520055953
                                                                                                                                                                            • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                            • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                                                                            • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                                                                            Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                            • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                            • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                                                                            • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                            • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                                                                            Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                                                                            • _free.LIBCMT ref: 100071B8
                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 336800556-0
                                                                                                                                                                            • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                            • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                                                                            • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                            • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                                                                            Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                                                                            • _free.LIBCMT ref: 10005BB4
                                                                                                                                                                            • _free.LIBCMT ref: 10005BDB
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3170660625-0
                                                                                                                                                                            • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                            • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                                                                            • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                            • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                                                                            Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                            • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen$lstrcat
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 493641738-0
                                                                                                                                                                            • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                            • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                                                                            • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                            • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                                                                            Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 100091D0
                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                            • _free.LIBCMT ref: 100091E2
                                                                                                                                                                            • _free.LIBCMT ref: 100091F4
                                                                                                                                                                            • _free.LIBCMT ref: 10009206
                                                                                                                                                                            • _free.LIBCMT ref: 10009218
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                            • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                                                                            • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                            • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                                                                            Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 1000536F
                                                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                            • _free.LIBCMT ref: 10005381
                                                                                                                                                                            • _free.LIBCMT ref: 10005394
                                                                                                                                                                            • _free.LIBCMT ref: 100053A5
                                                                                                                                                                            • _free.LIBCMT ref: 100053B6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                            • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                                                                            • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                            • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                                                                            Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe,00000104), ref: 10004C1D
                                                                                                                                                                            • _free.LIBCMT ref: 10004CE8
                                                                                                                                                                            • _free.LIBCMT ref: 10004CF2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\RNJBFdvJTXAE.exe
                                                                                                                                                                            • API String ID: 2506810119-3909466302
                                                                                                                                                                            • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                            • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                                                                            • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                            • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                                                                            Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                                                                            • __freea.LIBCMT ref: 100087D5
                                                                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2652629310-0
                                                                                                                                                                            • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                            • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                                                                            • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                            • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                                                                            Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                                                                            • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3177248105-0
                                                                                                                                                                            • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                            • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                                                                            • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                            • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                                                                            Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _strlen
                                                                                                                                                                            • String ID: : $Se.
                                                                                                                                                                            • API String ID: 4218353326-4089948878
                                                                                                                                                                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                            • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                                                                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                                                                            Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                                                                              • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000000E.00000002.3851996639.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                            • Associated: 0000000E.00000002.3851969398.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 0000000E.00000002.3851996639.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_14_2_10000000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                            • String ID: Unknown exception
                                                                                                                                                                            • API String ID: 3476068407-410509341
                                                                                                                                                                            • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                            • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                            • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:6.3%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                            Signature Coverage:0.8%
                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                            Total number of Limit Nodes:68
                                                                                                                                                                            execution_graph 40564 441819 40567 430737 40564->40567 40566 441825 40568 430756 40567->40568 40569 43076d 40567->40569 40570 430774 40568->40570 40571 43075f 40568->40571 40569->40566 40573 43034a memcpy 40570->40573 40588 4169a7 11 API calls 40571->40588 40576 43077e 40573->40576 40574 4307ce 40575 430819 memset 40574->40575 40581 415b2c 40574->40581 40575->40569 40576->40569 40576->40574 40579 4307fa 40576->40579 40578 4307e9 40578->40569 40578->40575 40589 4169a7 11 API calls 40579->40589 40582 415b42 40581->40582 40584 415b46 40581->40584 40583 415b94 40582->40583 40582->40584 40586 415b5a 40582->40586 40585 4438b5 10 API calls 40583->40585 40584->40578 40585->40584 40586->40584 40587 415b79 memcpy 40586->40587 40587->40584 40588->40569 40589->40569 37545 442ec6 19 API calls 37722 4152c6 malloc 37723 4152e2 37722->37723 37724 4152ef 37722->37724 37726 416760 11 API calls 37724->37726 37726->37723 38338 4466f4 38357 446904 38338->38357 38340 446700 GetModuleHandleA 38343 446710 __set_app_type __p__fmode __p__commode 38340->38343 38342 4467a4 38344 4467ac __setusermatherr 38342->38344 38345 4467b8 38342->38345 38343->38342 38344->38345 38358 4468f0 _controlfp 38345->38358 38347 4467bd _initterm __wgetmainargs _initterm 38348 446810 38347->38348 38349 44681e GetStartupInfoW 38347->38349 38351 446866 GetModuleHandleA 38349->38351 38359 41276d 38351->38359 38355 446896 exit 38356 44689d _cexit 38355->38356 38356->38348 38357->38340 38358->38347 38360 41277d 38359->38360 38402 4044a4 LoadLibraryW 38360->38402 38362 412785 38363 412789 38362->38363 38410 414b81 38362->38410 38363->38355 38363->38356 38366 4127c8 38416 412465 memset ??2@YAPAXI 38366->38416 38368 4127ea 38428 40ac21 38368->38428 38373 412813 38446 40dd07 memset 38373->38446 38374 412827 38451 40db69 memset 38374->38451 38377 412822 38472 4125b6 ??3@YAXPAX 38377->38472 38379 40ada2 _wcsicmp 38380 41283d 38379->38380 38380->38377 38383 412863 CoInitialize 38380->38383 38456 41268e 38380->38456 38476 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38383->38476 38385 41296f 38478 40b633 38385->38478 38390 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38394 412957 CoUninitialize 38390->38394 38399 4128ca 38390->38399 38394->38377 38395 4128d0 TranslateAcceleratorW 38396 412941 GetMessageW 38395->38396 38395->38399 38396->38394 38396->38395 38397 412909 IsDialogMessageW 38397->38396 38397->38399 38398 4128fd IsDialogMessageW 38398->38396 38398->38397 38399->38395 38399->38397 38399->38398 38400 41292b TranslateMessage DispatchMessageW 38399->38400 38401 41291f IsDialogMessageW 38399->38401 38400->38396 38401->38396 38401->38400 38403 4044f7 38402->38403 38404 4044cf GetProcAddress 38402->38404 38408 404507 MessageBoxW 38403->38408 38409 40451e 38403->38409 38405 4044e8 FreeLibrary 38404->38405 38406 4044df 38404->38406 38405->38403 38407 4044f3 38405->38407 38406->38405 38407->38403 38408->38362 38409->38362 38411 414b8a 38410->38411 38412 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38410->38412 38482 40a804 memset 38411->38482 38412->38366 38415 414b9e GetProcAddress 38415->38412 38417 4124e0 38416->38417 38418 412505 ??2@YAPAXI 38417->38418 38419 41251c 38418->38419 38421 412521 38418->38421 38504 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38419->38504 38493 444722 38421->38493 38427 41259b wcscpy 38427->38368 38509 40b1ab free free 38428->38509 38430 40ac5c 38433 40a9ce malloc memcpy free free 38430->38433 38434 40ad4b 38430->38434 38436 40ace7 free 38430->38436 38441 40ad76 38430->38441 38513 40a8d0 7 API calls 38430->38513 38514 4099f4 38430->38514 38433->38430 38434->38441 38522 40a9ce 38434->38522 38436->38430 38510 40aa04 38441->38510 38442 40ada2 38444 40adc9 38442->38444 38445 40adaa 38442->38445 38443 40adb3 _wcsicmp 38443->38444 38443->38445 38444->38373 38444->38374 38445->38443 38445->38444 38528 40dce0 38446->38528 38448 40dd3a GetModuleHandleW 38533 40dba7 38448->38533 38452 40dce0 3 API calls 38451->38452 38453 40db99 38452->38453 38605 40dae1 38453->38605 38619 402f3a 38456->38619 38458 412766 38458->38377 38458->38383 38459 4126d3 _wcsicmp 38460 4126a8 38459->38460 38460->38458 38460->38459 38462 41270a 38460->38462 38653 4125f8 7 API calls 38460->38653 38462->38458 38622 411ac5 38462->38622 38473 4125da 38472->38473 38474 4125f0 38473->38474 38475 4125e6 DeleteObject 38473->38475 38477 40b1ab free free 38474->38477 38475->38474 38476->38390 38477->38385 38479 40b640 38478->38479 38480 40b639 free 38478->38480 38481 40b1ab free free 38479->38481 38480->38479 38481->38363 38483 40a83b GetSystemDirectoryW 38482->38483 38484 40a84c wcscpy 38482->38484 38483->38484 38489 409719 wcslen 38484->38489 38487 40a881 LoadLibraryW 38488 40a886 38487->38488 38488->38412 38488->38415 38490 409724 38489->38490 38491 409739 wcscat LoadLibraryW 38489->38491 38490->38491 38492 40972c wcscat 38490->38492 38491->38487 38491->38488 38492->38491 38494 444732 38493->38494 38495 444728 DeleteObject 38493->38495 38505 409cc3 38494->38505 38495->38494 38497 412551 38498 4010f9 38497->38498 38499 401130 38498->38499 38500 401134 GetModuleHandleW LoadIconW 38499->38500 38501 401107 wcsncat 38499->38501 38502 40a7be 38500->38502 38501->38499 38503 40a7d2 38502->38503 38503->38427 38503->38503 38504->38421 38508 409bfd memset wcscpy 38505->38508 38507 409cdb CreateFontIndirectW 38507->38497 38508->38507 38509->38430 38511 40aa14 38510->38511 38512 40aa0a free 38510->38512 38511->38442 38512->38511 38513->38430 38515 409a41 38514->38515 38516 4099fb malloc 38514->38516 38515->38430 38518 409a37 38516->38518 38519 409a1c 38516->38519 38518->38430 38520 409a30 free 38519->38520 38521 409a20 memcpy 38519->38521 38520->38518 38521->38520 38523 40a9e7 38522->38523 38524 40a9dc free 38522->38524 38526 4099f4 3 API calls 38523->38526 38525 40a9f2 38524->38525 38527 40a8d0 7 API calls 38525->38527 38526->38525 38527->38441 38552 409bca GetModuleFileNameW 38528->38552 38530 40dce6 wcsrchr 38531 40dcf5 38530->38531 38532 40dcf9 wcscat 38530->38532 38531->38532 38532->38448 38553 44db70 38533->38553 38537 40dbfd 38556 4447d9 38537->38556 38540 40dc34 wcscpy wcscpy 38582 40d6f5 38540->38582 38541 40dc1f wcscpy 38541->38540 38544 40d6f5 3 API calls 38545 40dc73 38544->38545 38546 40d6f5 3 API calls 38545->38546 38547 40dc89 38546->38547 38548 40d6f5 3 API calls 38547->38548 38549 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38548->38549 38588 40da80 38549->38588 38552->38530 38554 40dbb4 memset memset 38553->38554 38555 409bca GetModuleFileNameW 38554->38555 38555->38537 38558 4447f4 38556->38558 38557 40dc1b 38557->38540 38557->38541 38558->38557 38559 444807 ??2@YAPAXI 38558->38559 38560 44481f 38559->38560 38561 444873 _snwprintf 38560->38561 38562 4448ab wcscpy 38560->38562 38595 44474a 8 API calls 38561->38595 38564 4448bb 38562->38564 38596 44474a 8 API calls 38564->38596 38566 4448a7 38566->38562 38566->38564 38567 4448cd 38597 44474a 8 API calls 38567->38597 38569 4448e2 38598 44474a 8 API calls 38569->38598 38571 4448f7 38599 44474a 8 API calls 38571->38599 38573 44490c 38600 44474a 8 API calls 38573->38600 38575 444921 38601 44474a 8 API calls 38575->38601 38577 444936 38602 44474a 8 API calls 38577->38602 38579 44494b 38603 44474a 8 API calls 38579->38603 38581 444960 ??3@YAXPAX 38581->38557 38583 44db70 38582->38583 38584 40d702 memset GetPrivateProfileStringW 38583->38584 38585 40d752 38584->38585 38586 40d75c WritePrivateProfileStringW 38584->38586 38585->38586 38587 40d758 38585->38587 38586->38587 38587->38544 38589 44db70 38588->38589 38590 40da8d memset 38589->38590 38591 40daac LoadStringW 38590->38591 38592 40dac6 38591->38592 38592->38591 38594 40dade 38592->38594 38604 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38592->38604 38594->38377 38595->38566 38596->38567 38597->38569 38598->38571 38599->38573 38600->38575 38601->38577 38602->38579 38603->38581 38604->38592 38615 409b98 GetFileAttributesW 38605->38615 38607 40daea 38608 40db63 38607->38608 38609 40daef wcscpy wcscpy GetPrivateProfileIntW 38607->38609 38608->38379 38616 40d65d GetPrivateProfileStringW 38609->38616 38611 40db3e 38617 40d65d GetPrivateProfileStringW 38611->38617 38613 40db4f 38618 40d65d GetPrivateProfileStringW 38613->38618 38615->38607 38616->38611 38617->38613 38618->38608 38654 40eaff 38619->38654 38623 411ae2 memset 38622->38623 38624 411b8f 38622->38624 38694 409bca GetModuleFileNameW 38623->38694 38636 411a8b 38624->38636 38626 411b0a wcsrchr 38627 411b22 wcscat 38626->38627 38628 411b1f 38626->38628 38695 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38627->38695 38628->38627 38630 411b67 38696 402afb 38630->38696 38634 411b7f 38752 40ea13 SendMessageW memset SendMessageW 38634->38752 38637 402afb 27 API calls 38636->38637 38638 411ac0 38637->38638 38639 4110dc 38638->38639 38640 41113e 38639->38640 38645 4110f0 38639->38645 38777 40969c LoadCursorW SetCursor 38640->38777 38642 411143 38778 4032b4 38642->38778 38796 444a54 38642->38796 38643 4110f7 _wcsicmp 38643->38645 38644 411157 38646 40ada2 _wcsicmp 38644->38646 38645->38640 38645->38643 38799 410c46 10 API calls 38645->38799 38649 411167 38646->38649 38647 4111af 38649->38647 38650 4111a6 qsort 38649->38650 38650->38647 38653->38460 38655 40eb10 38654->38655 38667 40e8e0 38655->38667 38658 40eb6c memcpy memcpy 38662 40ebb7 38658->38662 38659 40ebf2 ??2@YAPAXI ??2@YAPAXI 38661 40ec2e ??2@YAPAXI 38659->38661 38664 40ec65 38659->38664 38660 40d134 16 API calls 38660->38662 38661->38664 38662->38658 38662->38659 38662->38660 38664->38664 38677 40ea7f 38664->38677 38666 402f49 38666->38460 38668 40e8f2 38667->38668 38669 40e8eb ??3@YAXPAX 38667->38669 38670 40e900 38668->38670 38671 40e8f9 ??3@YAXPAX 38668->38671 38669->38668 38672 40e911 38670->38672 38673 40e90a ??3@YAXPAX 38670->38673 38671->38670 38674 40e931 ??2@YAPAXI ??2@YAPAXI 38672->38674 38675 40e921 ??3@YAXPAX 38672->38675 38676 40e92a ??3@YAXPAX 38672->38676 38673->38672 38674->38658 38675->38676 38676->38674 38678 40aa04 free 38677->38678 38679 40ea88 38678->38679 38680 40aa04 free 38679->38680 38681 40ea90 38680->38681 38682 40aa04 free 38681->38682 38683 40ea98 38682->38683 38684 40aa04 free 38683->38684 38685 40eaa0 38684->38685 38686 40a9ce 4 API calls 38685->38686 38687 40eab3 38686->38687 38688 40a9ce 4 API calls 38687->38688 38689 40eabd 38688->38689 38690 40a9ce 4 API calls 38689->38690 38691 40eac7 38690->38691 38692 40a9ce 4 API calls 38691->38692 38693 40ead1 38692->38693 38693->38666 38694->38626 38695->38630 38753 40b2cc 38696->38753 38698 402b0a 38699 40b2cc 27 API calls 38698->38699 38700 402b23 38699->38700 38701 40b2cc 27 API calls 38700->38701 38702 402b3a 38701->38702 38703 40b2cc 27 API calls 38702->38703 38704 402b54 38703->38704 38705 40b2cc 27 API calls 38704->38705 38706 402b6b 38705->38706 38707 40b2cc 27 API calls 38706->38707 38708 402b82 38707->38708 38709 40b2cc 27 API calls 38708->38709 38710 402b99 38709->38710 38711 40b2cc 27 API calls 38710->38711 38712 402bb0 38711->38712 38713 40b2cc 27 API calls 38712->38713 38714 402bc7 38713->38714 38715 40b2cc 27 API calls 38714->38715 38716 402bde 38715->38716 38717 40b2cc 27 API calls 38716->38717 38718 402bf5 38717->38718 38719 40b2cc 27 API calls 38718->38719 38720 402c0c 38719->38720 38721 40b2cc 27 API calls 38720->38721 38722 402c23 38721->38722 38723 40b2cc 27 API calls 38722->38723 38724 402c3a 38723->38724 38725 40b2cc 27 API calls 38724->38725 38726 402c51 38725->38726 38727 40b2cc 27 API calls 38726->38727 38728 402c68 38727->38728 38729 40b2cc 27 API calls 38728->38729 38730 402c7f 38729->38730 38731 40b2cc 27 API calls 38730->38731 38732 402c99 38731->38732 38733 40b2cc 27 API calls 38732->38733 38734 402cb3 38733->38734 38735 40b2cc 27 API calls 38734->38735 38736 402cd5 38735->38736 38737 40b2cc 27 API calls 38736->38737 38738 402cf0 38737->38738 38739 40b2cc 27 API calls 38738->38739 38740 402d0b 38739->38740 38741 40b2cc 27 API calls 38740->38741 38742 402d26 38741->38742 38743 40b2cc 27 API calls 38742->38743 38744 402d3e 38743->38744 38745 40b2cc 27 API calls 38744->38745 38746 402d59 38745->38746 38747 40b2cc 27 API calls 38746->38747 38748 402d78 38747->38748 38749 40b2cc 27 API calls 38748->38749 38750 402d93 38749->38750 38751 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38750->38751 38751->38634 38752->38624 38756 40b58d 38753->38756 38755 40b2d1 38755->38698 38757 40b5a4 GetModuleHandleW FindResourceW 38756->38757 38758 40b62e 38756->38758 38759 40b5c2 LoadResource 38757->38759 38761 40b5e7 38757->38761 38758->38755 38760 40b5d0 SizeofResource LockResource 38759->38760 38759->38761 38760->38761 38761->38758 38769 40afcf 38761->38769 38763 40b608 memcpy 38772 40b4d3 memcpy 38763->38772 38765 40b61e 38773 40b3c1 18 API calls 38765->38773 38767 40b626 38774 40b04b 38767->38774 38770 40b04b ??3@YAXPAX 38769->38770 38771 40afd7 ??2@YAPAXI 38770->38771 38771->38763 38772->38765 38773->38767 38775 40b051 ??3@YAXPAX 38774->38775 38776 40b05f 38774->38776 38775->38776 38776->38758 38777->38642 38779 4032c4 38778->38779 38780 40b633 free 38779->38780 38781 403316 38780->38781 38800 44553b 38781->38800 38785 403480 38998 40368c 15 API calls 38785->38998 38787 403489 38788 40b633 free 38787->38788 38789 403495 38788->38789 38789->38644 38790 4033a9 memset memcpy 38791 4033ec wcscmp 38790->38791 38792 40333c 38790->38792 38791->38792 38792->38785 38792->38790 38792->38791 38996 4028e7 11 API calls 38792->38996 38997 40f508 6 API calls 38792->38997 38794 403421 _wcsicmp 38794->38792 38797 444a64 FreeLibrary 38796->38797 38798 444a83 38796->38798 38797->38798 38798->38644 38799->38645 38801 445548 38800->38801 38802 445599 38801->38802 38999 40c768 38801->38999 38803 4455a8 memset 38802->38803 38946 4457f2 38802->38946 39082 403988 38803->39082 38810 445854 38811 4458aa 38810->38811 39207 403c9c memset memset memset memset memset 38810->39207 38813 44594a 38811->38813 38814 4458bb memset memset 38811->38814 38812 445672 39093 403fbe memset memset memset memset memset 38812->39093 38816 4459ed 38813->38816 38817 44595e memset memset 38813->38817 38819 414c2e 16 API calls 38814->38819 38822 445a00 memset memset 38816->38822 38823 445b22 38816->38823 38824 414c2e 16 API calls 38817->38824 38818 4455e5 38818->38812 38836 44560f 38818->38836 38825 4458f9 38819->38825 39230 414c2e 38822->39230 38828 445bca 38823->38828 38829 445b38 memset memset memset 38823->38829 38834 44599c 38824->38834 38835 40b2cc 27 API calls 38825->38835 38846 445c8b memset memset 38828->38846 38896 445cf0 38828->38896 38841 445bd4 38829->38841 38842 445b98 38829->38842 38830 445849 39295 40b1ab free free 38830->39295 38845 40b2cc 27 API calls 38834->38845 38847 445909 38835->38847 38838 4087b3 338 API calls 38836->38838 38857 445621 38838->38857 38840 44589f 39296 40b1ab free free 38840->39296 38854 414c2e 16 API calls 38841->38854 38842->38841 38850 445ba2 38842->38850 38859 4459ac 38845->38859 38848 414c2e 16 API calls 38846->38848 38856 409d1f 6 API calls 38847->38856 38860 445cc9 38848->38860 39368 4099c6 wcslen 38850->39368 38851 4456b2 39283 40b1ab free free 38851->39283 38853 40b2cc 27 API calls 38863 445a4f 38853->38863 38865 445be2 38854->38865 38855 403335 38995 4452e5 45 API calls 38855->38995 38868 445919 38856->38868 39281 4454bf 20 API calls 38857->39281 38858 445823 38858->38830 38876 4087b3 338 API calls 38858->38876 38869 409d1f 6 API calls 38859->38869 38870 409d1f 6 API calls 38860->38870 38861 445879 38861->38840 38880 4087b3 338 API calls 38861->38880 39245 409d1f wcslen wcslen 38863->39245 38874 40b2cc 27 API calls 38865->38874 38866 445d3d 38894 40b2cc 27 API calls 38866->38894 38867 445d88 memset memset memset 38877 414c2e 16 API calls 38867->38877 39297 409b98 GetFileAttributesW 38868->39297 38878 4459bc 38869->38878 38879 445ce1 38870->38879 38871 445bb3 39371 445403 memset 38871->39371 38872 445680 38872->38851 39116 4087b3 memset 38872->39116 38883 445bf3 38874->38883 38876->38858 38886 445dde 38877->38886 39364 409b98 GetFileAttributesW 38878->39364 39388 409b98 GetFileAttributesW 38879->39388 38880->38861 38893 409d1f 6 API calls 38883->38893 38884 445928 38884->38813 39298 40b6ef 38884->39298 38895 40b2cc 27 API calls 38886->38895 38888 4459cb 38888->38816 38905 40b6ef 252 API calls 38888->38905 38892 40b2cc 27 API calls 38898 445a94 38892->38898 38900 445c07 38893->38900 38901 445d54 _wcsicmp 38894->38901 38904 445def 38895->38904 38896->38855 38896->38866 38896->38867 38897 445389 258 API calls 38897->38828 39250 40ae18 38898->39250 38899 44566d 38899->38946 39167 413d4c 38899->39167 38908 445389 258 API calls 38900->38908 38909 445d71 38901->38909 38972 445d67 38901->38972 38903 445665 39282 40b1ab free free 38903->39282 38910 409d1f 6 API calls 38904->38910 38905->38816 38913 445c17 38908->38913 39389 445093 23 API calls 38909->39389 38916 445e03 38910->38916 38912 4456d8 38918 40b2cc 27 API calls 38912->38918 38919 40b2cc 27 API calls 38913->38919 38915 44563c 38915->38903 38921 4087b3 338 API calls 38915->38921 39390 409b98 GetFileAttributesW 38916->39390 38917 40b6ef 252 API calls 38917->38855 38923 4456e2 38918->38923 38924 445c23 38919->38924 38920 445d83 38920->38855 38921->38915 39284 413fa6 _wcsicmp _wcsicmp 38923->39284 38928 409d1f 6 API calls 38924->38928 38926 445e12 38929 445e6b 38926->38929 38933 40b2cc 27 API calls 38926->38933 38931 445c37 38928->38931 39392 445093 23 API calls 38929->39392 38930 4456eb 38936 4456fd memset memset memset memset 38930->38936 38937 4457ea 38930->38937 38938 445389 258 API calls 38931->38938 38932 445b17 39365 40aebe 38932->39365 38940 445e33 38933->38940 39285 409c70 wcscpy wcsrchr 38936->39285 39288 413d29 38937->39288 38944 445c47 38938->38944 38945 409d1f 6 API calls 38940->38945 38942 445e7e 38947 445f67 38942->38947 38950 40b2cc 27 API calls 38944->38950 38951 445e47 38945->38951 38946->38810 39184 403e2d memset memset memset memset memset 38946->39184 38952 40b2cc 27 API calls 38947->38952 38948 445ab2 memset 38953 40b2cc 27 API calls 38948->38953 38955 445c53 38950->38955 39391 409b98 GetFileAttributesW 38951->39391 38957 445f73 38952->38957 38958 445aa1 38953->38958 38954 409c70 2 API calls 38959 44577e 38954->38959 38960 409d1f 6 API calls 38955->38960 38962 409d1f 6 API calls 38957->38962 38958->38932 38958->38948 38963 409d1f 6 API calls 38958->38963 39257 40add4 38958->39257 39262 445389 38958->39262 39271 40ae51 38958->39271 38964 409c70 2 API calls 38959->38964 38965 445c67 38960->38965 38961 445e56 38961->38929 38969 445e83 memset 38961->38969 38966 445f87 38962->38966 38963->38958 38967 44578d 38964->38967 38968 445389 258 API calls 38965->38968 39395 409b98 GetFileAttributesW 38966->39395 38967->38937 38974 40b2cc 27 API calls 38967->38974 38968->38828 38973 40b2cc 27 API calls 38969->38973 38972->38855 38972->38917 38975 445eab 38973->38975 38976 4457a8 38974->38976 38977 409d1f 6 API calls 38975->38977 38978 409d1f 6 API calls 38976->38978 38980 445ebf 38977->38980 38979 4457b8 38978->38979 39287 409b98 GetFileAttributesW 38979->39287 38982 40ae18 9 API calls 38980->38982 38986 445ef5 38982->38986 38984 40ae51 9 API calls 38984->38986 38986->38984 38987 445f5c 38986->38987 38989 40add4 2 API calls 38986->38989 38990 40b2cc 27 API calls 38986->38990 38991 409d1f 6 API calls 38986->38991 38993 445f3a 38986->38993 39393 409b98 GetFileAttributesW 38986->39393 38988 40aebe FindClose 38987->38988 38988->38947 38989->38986 38990->38986 38991->38986 39394 445093 23 API calls 38993->39394 38995->38792 38996->38794 38997->38792 38998->38787 39000 40c775 38999->39000 39396 40b1ab free free 39000->39396 39002 40c788 39397 40b1ab free free 39002->39397 39004 40c790 39398 40b1ab free free 39004->39398 39006 40c798 39007 40aa04 free 39006->39007 39008 40c7a0 39007->39008 39399 40c274 memset 39008->39399 39013 40a8ab 9 API calls 39014 40c7c3 39013->39014 39015 40a8ab 9 API calls 39014->39015 39016 40c7d0 39015->39016 39428 40c3c3 39016->39428 39020 40c877 39029 40bdb0 39020->39029 39021 40c86c 39470 4053fe 39 API calls 39021->39470 39027 40c7e5 39027->39020 39027->39021 39028 40c634 49 API calls 39027->39028 39453 40a706 39027->39453 39028->39027 39663 404363 39029->39663 39032 40bf5d 39683 40440c 39032->39683 39034 40bdee 39034->39032 39037 40b2cc 27 API calls 39034->39037 39035 40bddf CredEnumerateW 39035->39034 39083 40399d 39082->39083 39729 403a16 39083->39729 39086 403a12 wcsrchr 39086->38818 39089 4039a3 39090 4039f4 39089->39090 39092 403a09 39089->39092 39740 40a02c CreateFileW 39089->39740 39091 4099c6 2 API calls 39090->39091 39090->39092 39091->39092 39743 40b1ab free free 39092->39743 39094 414c2e 16 API calls 39093->39094 39095 404048 39094->39095 39096 414c2e 16 API calls 39095->39096 39097 404056 39096->39097 39098 409d1f 6 API calls 39097->39098 39099 404073 39098->39099 39100 409d1f 6 API calls 39099->39100 39101 40408e 39100->39101 39102 409d1f 6 API calls 39101->39102 39103 4040a6 39102->39103 39104 403af5 20 API calls 39103->39104 39105 4040ba 39104->39105 39106 403af5 20 API calls 39105->39106 39107 4040cb 39106->39107 39770 40414f memset 39107->39770 39109 404140 39784 40b1ab free free 39109->39784 39110 4040ec memset 39114 4040e0 39110->39114 39112 404148 39112->38872 39113 4099c6 2 API calls 39113->39114 39114->39109 39114->39110 39114->39113 39115 40a8ab 9 API calls 39114->39115 39115->39114 39797 40a6e6 WideCharToMultiByte 39116->39797 39168 40b633 free 39167->39168 39169 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39168->39169 39170 413f00 Process32NextW 39169->39170 39171 413da5 OpenProcess 39170->39171 39172 413f17 CloseHandle 39170->39172 39173 413eb0 39171->39173 39174 413df3 memset 39171->39174 39172->38912 39173->39170 39176 413ebf free 39173->39176 39177 4099f4 3 API calls 39173->39177 40033 413f27 39174->40033 39176->39173 39177->39173 39179 413e37 GetModuleHandleW 39180 413e1f 39179->39180 39181 413e46 GetProcAddress 39179->39181 39180->39179 40038 413959 39180->40038 40054 413ca4 39180->40054 39181->39180 39183 413ea2 CloseHandle 39183->39173 39185 414c2e 16 API calls 39184->39185 39186 403eb7 39185->39186 39187 414c2e 16 API calls 39186->39187 39188 403ec5 39187->39188 39189 409d1f 6 API calls 39188->39189 39190 403ee2 39189->39190 39191 409d1f 6 API calls 39190->39191 39192 403efd 39191->39192 39193 409d1f 6 API calls 39192->39193 39194 403f15 39193->39194 39195 403af5 20 API calls 39194->39195 39196 403f29 39195->39196 39197 403af5 20 API calls 39196->39197 39198 403f3a 39197->39198 39199 40414f 33 API calls 39198->39199 39205 403f4f 39199->39205 39200 403faf 40068 40b1ab free free 39200->40068 39202 403f5b memset 39202->39205 39203 403fb7 39203->38858 39204 4099c6 2 API calls 39204->39205 39205->39200 39205->39202 39205->39204 39206 40a8ab 9 API calls 39205->39206 39206->39205 39208 414c2e 16 API calls 39207->39208 39209 403d26 39208->39209 39210 414c2e 16 API calls 39209->39210 39211 403d34 39210->39211 39212 409d1f 6 API calls 39211->39212 39213 403d51 39212->39213 39214 409d1f 6 API calls 39213->39214 39215 403d6c 39214->39215 39216 409d1f 6 API calls 39215->39216 39217 403d84 39216->39217 39218 403af5 20 API calls 39217->39218 39219 403d98 39218->39219 39220 403af5 20 API calls 39219->39220 39221 403da9 39220->39221 39222 40414f 33 API calls 39221->39222 39228 403dbe 39222->39228 39223 403e1e 40069 40b1ab free free 39223->40069 39224 403dca memset 39224->39228 39226 403e26 39226->38861 39227 4099c6 2 API calls 39227->39228 39228->39223 39228->39224 39228->39227 39229 40a8ab 9 API calls 39228->39229 39229->39228 39231 414b81 9 API calls 39230->39231 39232 414c40 39231->39232 39233 414c73 memset 39232->39233 40070 409cea 39232->40070 39237 414c94 39233->39237 39236 414c64 39236->38853 40073 414592 RegOpenKeyExW 39237->40073 39239 414cc1 39240 414cf4 wcscpy 39239->39240 40074 414bb0 wcscpy 39239->40074 39240->39236 39242 414cd2 40075 4145ac RegQueryValueExW 39242->40075 39244 414ce9 RegCloseKey 39244->39240 39246 409d43 wcscpy 39245->39246 39248 409d62 39245->39248 39247 409719 2 API calls 39246->39247 39249 409d51 wcscat 39247->39249 39248->38892 39249->39248 39251 40aebe FindClose 39250->39251 39252 40ae21 39251->39252 39253 4099c6 2 API calls 39252->39253 39254 40ae35 39253->39254 39255 409d1f 6 API calls 39254->39255 39256 40ae49 39255->39256 39256->38958 39258 40ade0 39257->39258 39259 40ae0f 39257->39259 39258->39259 39260 40ade7 wcscmp 39258->39260 39259->38958 39260->39259 39261 40adfe wcscmp 39260->39261 39261->39259 39263 40ae18 9 API calls 39262->39263 39269 4453c4 39263->39269 39264 40ae51 9 API calls 39264->39269 39265 4453f3 39266 40aebe FindClose 39265->39266 39268 4453fe 39266->39268 39267 40add4 2 API calls 39267->39269 39268->38958 39269->39264 39269->39265 39269->39267 39270 445403 253 API calls 39269->39270 39270->39269 39272 40ae7b FindNextFileW 39271->39272 39273 40ae5c FindFirstFileW 39271->39273 39274 40ae8f 39272->39274 39275 40ae94 39272->39275 39273->39275 39276 40aebe FindClose 39274->39276 39277 40aeb6 39275->39277 39278 409d1f 6 API calls 39275->39278 39276->39275 39277->38958 39278->39277 39281->38915 39282->38899 39283->38899 39284->38930 39286 409c89 39285->39286 39286->38954 39289 413d39 39288->39289 39290 413d2f FreeLibrary 39288->39290 39291 40b633 free 39289->39291 39290->39289 39292 413d42 39291->39292 39293 40b633 free 39292->39293 39294 413d4a 39293->39294 39294->38946 39295->38810 39296->38811 39297->38884 39299 44db70 39298->39299 39300 40b6fc memset 39299->39300 39301 409c70 2 API calls 39300->39301 39302 40b732 wcsrchr 39301->39302 39303 40b743 39302->39303 39304 40b746 memset 39302->39304 39303->39304 39305 40b2cc 27 API calls 39304->39305 39306 40b76f 39305->39306 39307 409d1f 6 API calls 39306->39307 39308 40b783 39307->39308 40076 409b98 GetFileAttributesW 39308->40076 39310 40b792 39311 409c70 2 API calls 39310->39311 39325 40b7c2 39310->39325 39313 40b7a5 39311->39313 39315 40b2cc 27 API calls 39313->39315 39319 40b7b2 39315->39319 39316 40b837 CloseHandle 39318 40b83e memset 39316->39318 39317 40b817 40111 409a45 GetTempPathW 39317->40111 40110 40a6e6 WideCharToMultiByte 39318->40110 39323 409d1f 6 API calls 39319->39323 39321 40b827 CopyFileW 39321->39318 39323->39325 39324 40b866 39326 444432 121 API calls 39324->39326 40077 40bb98 39325->40077 39327 40b879 39326->39327 39328 40bad5 39327->39328 39329 40b273 27 API calls 39327->39329 39330 40baeb 39328->39330 39331 40bade DeleteFileW 39328->39331 39332 40b89a 39329->39332 39333 40b04b ??3@YAXPAX 39330->39333 39331->39330 39334 438552 134 API calls 39332->39334 39335 40baf3 39333->39335 39336 40b8a4 39334->39336 39335->38813 39337 40bacd 39336->39337 39339 4251c4 137 API calls 39336->39339 39338 443d90 111 API calls 39337->39338 39338->39328 39362 40b8b8 39339->39362 39340 40bac6 40123 424f26 123 API calls 39340->40123 39341 40b8bd memset 40114 425413 17 API calls 39341->40114 39344 425413 17 API calls 39344->39362 39347 40a71b MultiByteToWideChar 39347->39362 39348 40a734 MultiByteToWideChar 39348->39362 39351 40b9b5 memcmp 39351->39362 39352 4099c6 2 API calls 39352->39362 39353 404423 37 API calls 39353->39362 39356 40bb3e memset memcpy 40124 40a734 MultiByteToWideChar 39356->40124 39357 4251c4 137 API calls 39357->39362 39359 40bb88 LocalFree 39359->39362 39362->39340 39362->39341 39362->39344 39362->39347 39362->39348 39362->39351 39362->39352 39362->39353 39362->39356 39362->39357 39363 40ba5f memcmp 39362->39363 40115 4253ef 16 API calls 39362->40115 40116 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39362->40116 40117 4253af 17 API calls 39362->40117 40118 4253cf 17 API calls 39362->40118 40119 447280 memset 39362->40119 40120 447960 memset memcpy memcpy memcpy 39362->40120 40121 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39362->40121 40122 447920 memcpy memcpy memcpy 39362->40122 39363->39362 39364->38888 39366 40aed1 39365->39366 39367 40aec7 FindClose 39365->39367 39366->38823 39367->39366 39369 4099d7 39368->39369 39370 4099da memcpy 39368->39370 39369->39370 39370->38871 39372 40b2cc 27 API calls 39371->39372 39373 44543f 39372->39373 39374 409d1f 6 API calls 39373->39374 39375 44544f 39374->39375 40213 409b98 GetFileAttributesW 39375->40213 39377 445476 39380 40b2cc 27 API calls 39377->39380 39378 44545e 39378->39377 39379 40b6ef 252 API calls 39378->39379 39379->39377 39381 445482 39380->39381 39382 409d1f 6 API calls 39381->39382 39383 445492 39382->39383 40214 409b98 GetFileAttributesW 39383->40214 39385 4454a1 39386 4454b9 39385->39386 39387 40b6ef 252 API calls 39385->39387 39386->38897 39387->39386 39388->38896 39389->38920 39390->38926 39391->38961 39392->38942 39393->38986 39394->38986 39395->38972 39396->39002 39397->39004 39398->39006 39400 414c2e 16 API calls 39399->39400 39401 40c2ae 39400->39401 39471 40c1d3 39401->39471 39406 40c3be 39423 40a8ab 39406->39423 39407 40afcf 2 API calls 39408 40c2fd FindFirstUrlCacheEntryW 39407->39408 39409 40c3b6 39408->39409 39410 40c31e wcschr 39408->39410 39411 40b04b ??3@YAXPAX 39409->39411 39412 40c331 39410->39412 39413 40c35e FindNextUrlCacheEntryW 39410->39413 39411->39406 39414 40a8ab 9 API calls 39412->39414 39413->39410 39415 40c373 GetLastError 39413->39415 39418 40c33e wcschr 39414->39418 39416 40c3ad FindCloseUrlCache 39415->39416 39417 40c37e 39415->39417 39416->39409 39419 40afcf 2 API calls 39417->39419 39418->39413 39420 40c34f 39418->39420 39421 40c391 FindNextUrlCacheEntryW 39419->39421 39422 40a8ab 9 API calls 39420->39422 39421->39410 39421->39416 39422->39413 39587 40a97a 39423->39587 39426 40a8cc 39426->39013 39593 40b1ab free free 39428->39593 39430 40c3dd 39431 40b2cc 27 API calls 39430->39431 39432 40c3e7 39431->39432 39594 414592 RegOpenKeyExW 39432->39594 39434 40c3f4 39435 40c50e 39434->39435 39436 40c3ff 39434->39436 39450 405337 39435->39450 39437 40a9ce 4 API calls 39436->39437 39438 40c418 memset 39437->39438 39595 40aa1d 39438->39595 39441 40c471 39443 40c47a _wcsupr 39441->39443 39442 40c505 RegCloseKey 39442->39435 39597 40a8d0 7 API calls 39443->39597 39445 40c498 39598 40a8d0 7 API calls 39445->39598 39447 40c4ac memset 39448 40aa1d 39447->39448 39449 40c4e4 RegEnumValueW 39448->39449 39449->39442 39449->39443 39599 405220 39450->39599 39454 4099c6 2 API calls 39453->39454 39455 40a714 _wcslwr 39454->39455 39456 40c634 39455->39456 39656 405361 39456->39656 39459 40c65c wcslen 39659 4053b6 39 API calls 39459->39659 39460 40c71d wcslen 39460->39027 39462 40c677 39470->39020 39472 40ae18 9 API calls 39471->39472 39478 40c210 39472->39478 39473 40ae51 9 API calls 39473->39478 39474 40c264 39475 40aebe FindClose 39474->39475 39477 40c26f 39475->39477 39476 40add4 2 API calls 39476->39478 39483 40e5ed memset memset 39477->39483 39478->39473 39478->39474 39478->39476 39479 40c231 _wcsicmp 39478->39479 39480 40c1d3 35 API calls 39478->39480 39479->39478 39481 40c248 39479->39481 39480->39478 39496 40c084 22 API calls 39481->39496 39484 414c2e 16 API calls 39483->39484 39485 40e63f 39484->39485 39486 409d1f 6 API calls 39485->39486 39487 40e658 39486->39487 39497 409b98 GetFileAttributesW 39487->39497 39489 40e667 39490 40e680 39489->39490 39491 409d1f 6 API calls 39489->39491 39498 409b98 GetFileAttributesW 39490->39498 39491->39490 39493 40e68f 39495 40c2d8 39493->39495 39499 40e4b2 39493->39499 39495->39406 39495->39407 39496->39478 39497->39489 39498->39493 39520 40e01e 39499->39520 39501 40e593 39502 40e5b0 39501->39502 39503 40e59c DeleteFileW 39501->39503 39505 40b04b ??3@YAXPAX 39502->39505 39503->39502 39504 40e521 39504->39501 39543 40e175 39504->39543 39506 40e5bb 39505->39506 39508 40e5c4 CloseHandle 39506->39508 39509 40e5cc 39506->39509 39508->39509 39511 40b633 free 39509->39511 39510 40e573 39513 40e584 39510->39513 39514 40e57c CloseHandle 39510->39514 39512 40e5db 39511->39512 39516 40b633 free 39512->39516 39586 40b1ab free free 39513->39586 39514->39513 39515 40e540 39515->39510 39563 40e2ab 39515->39563 39518 40e5e3 39516->39518 39518->39495 39521 406214 22 API calls 39520->39521 39522 40e03c 39521->39522 39523 40e16b 39522->39523 39524 40dd85 74 API calls 39522->39524 39523->39504 39525 40e06b 39524->39525 39525->39523 39526 40afcf ??2@YAPAXI ??3@YAXPAX 39525->39526 39527 40e08d OpenProcess 39526->39527 39528 40e0a4 GetCurrentProcess DuplicateHandle 39527->39528 39532 40e152 39527->39532 39529 40e0d0 GetFileSize 39528->39529 39530 40e14a CloseHandle 39528->39530 39533 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39529->39533 39530->39532 39531 40e160 39535 40b04b ??3@YAXPAX 39531->39535 39532->39531 39534 406214 22 API calls 39532->39534 39536 40e0ea 39533->39536 39534->39531 39535->39523 39537 4096dc CreateFileW 39536->39537 39538 40e0f1 CreateFileMappingW 39537->39538 39539 40e140 CloseHandle CloseHandle 39538->39539 39540 40e10b MapViewOfFile 39538->39540 39539->39530 39541 40e13b CloseHandle 39540->39541 39542 40e11f WriteFile UnmapViewOfFile 39540->39542 39541->39539 39542->39541 39544 40e18c 39543->39544 39545 406b90 11 API calls 39544->39545 39546 40e19f 39545->39546 39547 40e1a7 memset 39546->39547 39548 40e299 39546->39548 39553 40e1e8 39547->39553 39549 4069a3 ??3@YAXPAX free 39548->39549 39550 40e2a4 39549->39550 39550->39515 39551 406e8f 13 API calls 39551->39553 39552 406b53 SetFilePointerEx ReadFile 39552->39553 39553->39551 39553->39552 39554 40e283 39553->39554 39555 40dd50 _wcsicmp 39553->39555 39559 40742e 8 API calls 39553->39559 39560 40aae3 wcslen wcslen _memicmp 39553->39560 39561 40e244 _snwprintf 39553->39561 39556 40e291 39554->39556 39557 40e288 free 39554->39557 39555->39553 39558 40aa04 free 39556->39558 39557->39556 39558->39548 39559->39553 39560->39553 39562 40a8d0 7 API calls 39561->39562 39562->39553 39564 40e2c2 39563->39564 39565 406b90 11 API calls 39564->39565 39585 40e2d3 39565->39585 39566 40e4a0 39567 4069a3 ??3@YAXPAX free 39566->39567 39569 40e4ab 39567->39569 39568 406e8f 13 API calls 39568->39585 39569->39515 39570 406b53 SetFilePointerEx ReadFile 39570->39585 39571 40e489 39572 40aa04 free 39571->39572 39573 40e491 39572->39573 39573->39566 39574 40e497 free 39573->39574 39574->39566 39575 40dd50 _wcsicmp 39575->39585 39576 40dd50 _wcsicmp 39577 40e376 memset 39576->39577 39578 40aa29 6 API calls 39577->39578 39578->39585 39579 40742e 8 API calls 39579->39585 39580 40e3e0 memcpy 39580->39585 39581 40e3b3 wcschr 39581->39585 39582 40e3fb memcpy 39582->39585 39583 40e416 memcpy 39583->39585 39584 40e431 memcpy 39584->39585 39585->39566 39585->39568 39585->39570 39585->39571 39585->39575 39585->39576 39585->39579 39585->39580 39585->39581 39585->39582 39585->39583 39585->39584 39586->39501 39589 40a980 39587->39589 39588 40a8bb 39588->39426 39592 40a8d0 7 API calls 39588->39592 39589->39588 39590 40a995 _wcsicmp 39589->39590 39591 40a99c wcscmp 39589->39591 39590->39589 39591->39589 39592->39426 39593->39430 39594->39434 39596 40aa23 RegEnumValueW 39595->39596 39596->39441 39596->39442 39597->39445 39598->39447 39600 405335 39599->39600 39601 40522a 39599->39601 39600->39027 39602 40b2cc 27 API calls 39601->39602 39603 405234 39602->39603 39604 40a804 8 API calls 39603->39604 39605 40523a 39604->39605 39644 40b273 39605->39644 39607 405248 _mbscpy _mbscat GetProcAddress 39608 40b273 27 API calls 39607->39608 39609 405279 39608->39609 39647 405211 GetProcAddress 39609->39647 39645 40b58d 27 API calls 39644->39645 39646 40b18c 39645->39646 39646->39607 39657 405220 39 API calls 39656->39657 39658 405369 39657->39658 39658->39459 39658->39460 39659->39462 39664 40440c FreeLibrary 39663->39664 39665 40436d 39664->39665 39666 40a804 8 API calls 39665->39666 39667 404377 39666->39667 39668 404383 39667->39668 39669 404405 39667->39669 39670 40b273 27 API calls 39668->39670 39669->39032 39669->39034 39669->39035 39671 40438d GetProcAddress 39670->39671 39684 404413 FreeLibrary 39683->39684 39730 403a29 39729->39730 39744 403bed memset memset 39730->39744 39732 403ae7 39757 40b1ab free free 39732->39757 39733 403a3f memset 39738 403a2f 39733->39738 39735 403aef 39735->39089 39736 409d1f 6 API calls 39736->39738 39737 409b98 GetFileAttributesW 39737->39738 39738->39732 39738->39733 39738->39736 39738->39737 39739 40a8d0 7 API calls 39738->39739 39739->39738 39741 40a051 GetFileTime CloseHandle 39740->39741 39742 4039ca CompareFileTime 39740->39742 39741->39742 39742->39089 39743->39086 39745 414c2e 16 API calls 39744->39745 39746 403c38 39745->39746 39747 409719 2 API calls 39746->39747 39748 403c3f wcscat 39747->39748 39749 414c2e 16 API calls 39748->39749 39750 403c61 39749->39750 39751 409719 2 API calls 39750->39751 39752 403c68 wcscat 39751->39752 39758 403af5 39752->39758 39755 403af5 20 API calls 39756 403c95 39755->39756 39756->39738 39757->39735 39759 403b02 39758->39759 39760 40ae18 9 API calls 39759->39760 39762 403b37 39760->39762 39761 40ae51 9 API calls 39761->39762 39762->39761 39763 403bdb 39762->39763 39764 40add4 wcscmp wcscmp 39762->39764 39767 40ae18 9 API calls 39762->39767 39768 40aebe FindClose 39762->39768 39769 40a8d0 7 API calls 39762->39769 39765 40aebe FindClose 39763->39765 39764->39762 39766 403be6 39765->39766 39766->39755 39767->39762 39768->39762 39769->39762 39771 409d1f 6 API calls 39770->39771 39772 404190 39771->39772 39785 409b98 GetFileAttributesW 39772->39785 39774 40419c 39775 4041a7 6 API calls 39774->39775 39776 40435c 39774->39776 39778 40424f 39775->39778 39776->39114 39778->39776 39779 40425e memset 39778->39779 39781 409d1f 6 API calls 39778->39781 39782 40a8ab 9 API calls 39778->39782 39786 414842 39778->39786 39779->39778 39780 404296 wcscpy 39779->39780 39780->39778 39781->39778 39783 4042b6 memset memset _snwprintf wcscpy 39782->39783 39783->39778 39784->39112 39785->39774 39789 41443e 39786->39789 39788 414866 39788->39778 39790 41444b 39789->39790 39791 414451 39790->39791 39792 4144a3 GetPrivateProfileStringW 39790->39792 39793 414491 39791->39793 39794 414455 wcschr 39791->39794 39792->39788 39796 414495 WritePrivateProfileStringW 39793->39796 39794->39793 39795 414463 _snwprintf 39794->39795 39795->39796 39796->39788 40060 413f4f 40033->40060 40036 413f37 K32GetModuleFileNameExW 40037 413f4a 40036->40037 40037->39180 40039 413969 wcscpy 40038->40039 40040 41396c wcschr 40038->40040 40043 413a3a 40039->40043 40040->40039 40042 41398e 40040->40042 40065 4097f7 wcslen wcslen _memicmp 40042->40065 40043->39180 40045 41399a 40046 4139a4 memset 40045->40046 40047 4139e6 40045->40047 40066 409dd5 GetWindowsDirectoryW wcscpy 40046->40066 40049 413a31 wcscpy 40047->40049 40050 4139ec memset 40047->40050 40049->40043 40067 409dd5 GetWindowsDirectoryW wcscpy 40050->40067 40051 4139c9 wcscpy wcscat 40051->40043 40053 413a11 memcpy wcscat 40053->40043 40055 413cb0 GetModuleHandleW 40054->40055 40056 413cda 40054->40056 40055->40056 40057 413cbf GetProcAddress 40055->40057 40058 413ce3 GetProcessTimes 40056->40058 40059 413cf6 40056->40059 40057->40056 40058->39183 40059->39183 40061 413f2f 40060->40061 40062 413f54 40060->40062 40061->40036 40061->40037 40063 40a804 8 API calls 40062->40063 40064 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40063->40064 40064->40061 40065->40045 40066->40051 40067->40053 40068->39203 40069->39226 40071 409cf9 GetVersionExW 40070->40071 40072 409d0a 40070->40072 40071->40072 40072->39233 40072->39236 40073->39239 40074->39242 40075->39244 40076->39310 40078 40bba5 40077->40078 40125 40cc26 40078->40125 40081 40bd4b 40146 40cc0c 40081->40146 40086 40b2cc 27 API calls 40087 40bbef 40086->40087 40153 40ccf0 _wcsicmp 40087->40153 40089 40bbf5 40089->40081 40154 40ccb4 6 API calls 40089->40154 40091 40bc26 40092 40cf04 17 API calls 40091->40092 40093 40bc2e 40092->40093 40094 40bd43 40093->40094 40095 40b2cc 27 API calls 40093->40095 40096 40cc0c 4 API calls 40094->40096 40097 40bc40 40095->40097 40096->40081 40155 40ccf0 _wcsicmp 40097->40155 40099 40bc46 40099->40094 40100 40bc61 memset memset WideCharToMultiByte 40099->40100 40156 40103c strlen 40100->40156 40102 40bcc0 40103 40b273 27 API calls 40102->40103 40104 40bcd0 memcmp 40103->40104 40104->40094 40105 40bce2 40104->40105 40106 404423 37 API calls 40105->40106 40107 40bd10 40106->40107 40107->40094 40108 40bd3a LocalFree 40107->40108 40109 40bd1f memcpy 40107->40109 40108->40094 40109->40108 40110->39324 40112 409a74 GetTempFileNameW 40111->40112 40113 409a66 GetWindowsDirectoryW 40111->40113 40112->39321 40113->40112 40114->39362 40115->39362 40116->39362 40117->39362 40118->39362 40119->39362 40120->39362 40121->39362 40122->39362 40123->39337 40124->39359 40157 4096c3 CreateFileW 40125->40157 40127 40cc34 40128 40cc3d GetFileSize 40127->40128 40129 40bbca 40127->40129 40130 40afcf 2 API calls 40128->40130 40129->40081 40137 40cf04 40129->40137 40131 40cc64 40130->40131 40158 40a2ef ReadFile 40131->40158 40133 40cc71 40159 40ab4a MultiByteToWideChar 40133->40159 40135 40cc95 CloseHandle 40136 40b04b ??3@YAXPAX 40135->40136 40136->40129 40138 40b633 free 40137->40138 40139 40cf14 40138->40139 40165 40b1ab free free 40139->40165 40141 40bbdd 40141->40081 40141->40086 40142 40cf1b 40142->40141 40144 40cfef 40142->40144 40166 40cd4b 40142->40166 40145 40cd4b 14 API calls 40144->40145 40145->40141 40147 40b633 free 40146->40147 40148 40cc15 40147->40148 40149 40aa04 free 40148->40149 40150 40cc1d 40149->40150 40212 40b1ab free free 40150->40212 40152 40b7d4 memset CreateFileW 40152->39316 40152->39317 40153->40089 40154->40091 40155->40099 40156->40102 40157->40127 40158->40133 40160 40ab6b 40159->40160 40164 40ab93 40159->40164 40161 40a9ce 4 API calls 40160->40161 40162 40ab74 40161->40162 40163 40ab7c MultiByteToWideChar 40162->40163 40163->40164 40164->40135 40165->40142 40167 40cd7b 40166->40167 40200 40aa29 6 API calls 40167->40200 40169 40cef5 40170 40aa04 free 40169->40170 40171 40cefd 40170->40171 40171->40142 40172 40cd89 40172->40169 40201 40aa29 6 API calls 40172->40201 40174 40ce1d 40202 40aa29 6 API calls 40174->40202 40176 40ce3e 40177 40ce6a 40176->40177 40203 40abb7 wcslen memmove 40176->40203 40178 40ce9f 40177->40178 40206 40abb7 wcslen memmove 40177->40206 40209 40a8d0 7 API calls 40178->40209 40181 40ce56 40204 40aa71 wcslen 40181->40204 40183 40ceb5 40210 40a8d0 7 API calls 40183->40210 40185 40ce8b 40207 40aa71 wcslen 40185->40207 40186 40ce5e 40205 40abb7 wcslen memmove 40186->40205 40188 40ce93 40208 40abb7 wcslen memmove 40188->40208 40192 40cecb 40211 40d00b malloc memcpy free free 40192->40211 40194 40cedd 40195 40aa04 free 40194->40195 40196 40cee5 40195->40196 40197 40aa04 free 40196->40197 40198 40ceed 40197->40198 40199 40aa04 free 40198->40199 40199->40169 40200->40172 40201->40174 40202->40176 40203->40181 40204->40186 40205->40177 40206->40185 40207->40188 40208->40178 40209->40183 40210->40192 40211->40194 40212->40152 40213->39378 40214->39385 40224 44def7 40225 44df07 40224->40225 40226 44df00 ??3@YAXPAX 40224->40226 40227 44df17 40225->40227 40228 44df10 ??3@YAXPAX 40225->40228 40226->40225 40229 44df27 40227->40229 40230 44df20 ??3@YAXPAX 40227->40230 40228->40227 40231 44df37 40229->40231 40232 44df30 ??3@YAXPAX 40229->40232 40230->40229 40232->40231 37537 44dea5 37538 44deb5 FreeLibrary 37537->37538 37539 44dec3 37537->37539 37538->37539 40233 4148b6 FindResourceW 40234 4148f9 40233->40234 40235 4148cf SizeofResource 40233->40235 40235->40234 40236 4148e0 LoadResource 40235->40236 40236->40234 40237 4148ee LockResource 40236->40237 40237->40234 37721 415304 free 37540 415320 realloc 37541 415340 37540->37541 37542 41534d 37540->37542 37544 416760 11 API calls 37542->37544 37544->37541 40238 441b3f 40248 43a9f6 40238->40248 40240 441b61 40421 4386af memset 40240->40421 40242 44189a 40243 442bd4 40242->40243 40244 4418e2 40242->40244 40245 4418ea 40243->40245 40423 441409 memset 40243->40423 40244->40245 40422 4414a9 12 API calls 40244->40422 40249 43aa20 40248->40249 40250 43aadf 40248->40250 40249->40250 40251 43aa34 memset 40249->40251 40250->40240 40252 43aa56 40251->40252 40253 43aa4d 40251->40253 40424 43a6e7 40252->40424 40432 42c02e memset 40253->40432 40258 43aad3 40434 4169a7 11 API calls 40258->40434 40259 43aaae 40259->40250 40259->40258 40274 43aae5 40259->40274 40260 43ac18 40263 43ac47 40260->40263 40436 42bbd5 memcpy memcpy memcpy memset memcpy 40260->40436 40264 43aca8 40263->40264 40437 438eed 16 API calls 40263->40437 40267 43acd5 40264->40267 40439 4233ae 11 API calls 40264->40439 40440 423426 11 API calls 40267->40440 40268 43ac87 40438 4233c5 16 API calls 40268->40438 40272 43ace1 40441 439811 163 API calls 40272->40441 40273 43a9f6 161 API calls 40273->40274 40274->40250 40274->40260 40274->40273 40435 439bbb 22 API calls 40274->40435 40276 43acfd 40281 43ad2c 40276->40281 40442 438eed 16 API calls 40276->40442 40278 43ad19 40443 4233c5 16 API calls 40278->40443 40279 43ad58 40444 44081d 163 API calls 40279->40444 40281->40279 40285 43add9 40281->40285 40284 43ae3a memset 40286 43ae73 40284->40286 40285->40285 40448 423426 11 API calls 40285->40448 40449 42e1c0 147 API calls 40286->40449 40287 43adab 40446 438c4e 163 API calls 40287->40446 40290 43ad6c 40290->40250 40290->40287 40445 42370b memset memcpy memset 40290->40445 40292 43adcc 40447 440f84 12 API calls 40292->40447 40293 43ae96 40450 42e1c0 147 API calls 40293->40450 40296 43aea8 40297 43aec1 40296->40297 40451 42e199 147 API calls 40296->40451 40298 43af00 40297->40298 40452 42e1c0 147 API calls 40297->40452 40298->40250 40302 43af1a 40298->40302 40303 43b3d9 40298->40303 40453 438eed 16 API calls 40302->40453 40308 43b3f6 40303->40308 40312 43b4c8 40303->40312 40305 43b60f 40305->40250 40512 4393a5 17 API calls 40305->40512 40307 43af2f 40454 4233c5 16 API calls 40307->40454 40494 432878 12 API calls 40308->40494 40310 43af51 40455 423426 11 API calls 40310->40455 40320 43b4f2 40312->40320 40500 42bbd5 memcpy memcpy memcpy memset memcpy 40312->40500 40314 43af7d 40456 423426 11 API calls 40314->40456 40318 43b529 40502 44081d 163 API calls 40318->40502 40319 43af94 40457 423330 11 API calls 40319->40457 40501 43a76c 21 API calls 40320->40501 40324 43afca 40458 423330 11 API calls 40324->40458 40325 43b47e 40328 43b497 40325->40328 40497 42374a memcpy memset memcpy memcpy memcpy 40325->40497 40326 43b544 40329 43b55c 40326->40329 40503 42c02e memset 40326->40503 40498 4233ae 11 API calls 40328->40498 40504 43a87a 163 API calls 40329->40504 40330 43afdb 40459 4233ae 11 API calls 40330->40459 40335 43b428 40346 43b462 40335->40346 40495 432b60 16 API calls 40335->40495 40337 43b56c 40340 43b58a 40337->40340 40505 423330 11 API calls 40337->40505 40338 43b4b1 40499 423399 11 API calls 40338->40499 40339 43afee 40460 44081d 163 API calls 40339->40460 40506 440f84 12 API calls 40340->40506 40342 43b4c1 40508 42db80 163 API calls 40342->40508 40496 423330 11 API calls 40346->40496 40348 43b592 40507 43a82f 16 API calls 40348->40507 40351 43b5b4 40509 438c4e 163 API calls 40351->40509 40353 43b5cf 40510 42c02e memset 40353->40510 40355 43b005 40355->40250 40359 43b01f 40355->40359 40461 42d836 163 API calls 40355->40461 40356 43b1ef 40471 4233c5 16 API calls 40356->40471 40359->40356 40469 423330 11 API calls 40359->40469 40470 42d71d 163 API calls 40359->40470 40360 43b212 40472 423330 11 API calls 40360->40472 40361 43b087 40462 4233ae 11 API calls 40361->40462 40362 43add4 40362->40305 40511 438f86 16 API calls 40362->40511 40366 43b22a 40473 42ccb5 11 API calls 40366->40473 40369 43b23f 40474 4233ae 11 API calls 40369->40474 40370 43b10f 40465 423330 11 API calls 40370->40465 40372 43b257 40475 4233ae 11 API calls 40372->40475 40376 43b129 40466 4233ae 11 API calls 40376->40466 40377 43b26e 40476 4233ae 11 API calls 40377->40476 40380 43b09a 40380->40370 40463 42cc15 19 API calls 40380->40463 40464 4233ae 11 API calls 40380->40464 40381 43b282 40477 43a87a 163 API calls 40381->40477 40383 43b13c 40467 440f84 12 API calls 40383->40467 40385 43b29d 40478 423330 11 API calls 40385->40478 40388 43b15f 40468 4233ae 11 API calls 40388->40468 40389 43b2af 40391 43b2b8 40389->40391 40392 43b2ce 40389->40392 40479 4233ae 11 API calls 40391->40479 40480 440f84 12 API calls 40392->40480 40395 43b2c9 40482 4233ae 11 API calls 40395->40482 40396 43b2da 40481 42370b memset memcpy memset 40396->40481 40399 43b2f9 40483 423330 11 API calls 40399->40483 40401 43b30b 40484 423330 11 API calls 40401->40484 40403 43b325 40485 423399 11 API calls 40403->40485 40405 43b332 40486 4233ae 11 API calls 40405->40486 40407 43b354 40487 423399 11 API calls 40407->40487 40409 43b364 40488 43a82f 16 API calls 40409->40488 40411 43b370 40489 42db80 163 API calls 40411->40489 40413 43b380 40490 438c4e 163 API calls 40413->40490 40415 43b39e 40491 423399 11 API calls 40415->40491 40417 43b3ae 40492 43a76c 21 API calls 40417->40492 40419 43b3c3 40493 423399 11 API calls 40419->40493 40421->40242 40422->40245 40423->40243 40425 43a6f5 40424->40425 40431 43a765 40424->40431 40425->40431 40513 42a115 40425->40513 40429 43a73d 40430 42a115 147 API calls 40429->40430 40429->40431 40430->40431 40431->40250 40433 4397fd memset 40431->40433 40432->40252 40433->40259 40434->40250 40435->40274 40436->40263 40437->40268 40438->40264 40439->40267 40440->40272 40441->40276 40442->40278 40443->40281 40444->40290 40445->40287 40446->40292 40447->40362 40448->40284 40449->40293 40450->40296 40451->40297 40452->40297 40453->40307 40454->40310 40455->40314 40456->40319 40457->40324 40458->40330 40459->40339 40460->40355 40461->40361 40462->40380 40463->40380 40464->40380 40465->40376 40466->40383 40467->40388 40468->40359 40469->40359 40470->40359 40471->40360 40472->40366 40473->40369 40474->40372 40475->40377 40476->40381 40477->40385 40478->40389 40479->40395 40480->40396 40481->40395 40482->40399 40483->40401 40484->40403 40485->40405 40486->40407 40487->40409 40488->40411 40489->40413 40490->40415 40491->40417 40492->40419 40493->40362 40494->40335 40495->40346 40496->40325 40497->40328 40498->40338 40499->40342 40500->40320 40501->40318 40502->40326 40503->40329 40504->40337 40505->40340 40506->40348 40507->40342 40508->40351 40509->40353 40510->40362 40511->40305 40512->40250 40514 42a175 40513->40514 40516 42a122 40513->40516 40514->40431 40519 42b13b 147 API calls 40514->40519 40516->40514 40517 42a115 147 API calls 40516->40517 40520 43a174 40516->40520 40544 42a0a8 147 API calls 40516->40544 40517->40516 40519->40429 40534 43a196 40520->40534 40535 43a19e 40520->40535 40521 43a306 40521->40534 40557 4388c4 14 API calls 40521->40557 40524 42a115 147 API calls 40524->40535 40525 415a91 memset 40525->40535 40526 43a642 40526->40534 40561 4169a7 11 API calls 40526->40561 40528 4165ff 11 API calls 40528->40535 40530 43a635 40560 42c02e memset 40530->40560 40534->40516 40535->40521 40535->40524 40535->40525 40535->40528 40535->40534 40545 42ff8c 40535->40545 40553 439504 13 API calls 40535->40553 40554 4312d0 147 API calls 40535->40554 40555 42be4c memcpy memcpy memcpy memset memcpy 40535->40555 40556 43a121 11 API calls 40535->40556 40537 4169a7 11 API calls 40538 43a325 40537->40538 40538->40526 40538->40530 40538->40534 40538->40537 40539 42b5b5 memset memcpy 40538->40539 40540 42bf4c 14 API calls 40538->40540 40543 4165ff 11 API calls 40538->40543 40558 42b63e 14 API calls 40538->40558 40559 42bfcf memcpy 40538->40559 40539->40538 40540->40538 40543->40538 40544->40516 40546 43817e 139 API calls 40545->40546 40547 42ff99 40546->40547 40548 42ffe3 40547->40548 40549 42ffd0 40547->40549 40552 42ff9d 40547->40552 40563 4169a7 11 API calls 40548->40563 40562 4169a7 11 API calls 40549->40562 40552->40535 40553->40535 40554->40535 40555->40535 40556->40535 40557->40538 40558->40538 40559->40538 40560->40526 40561->40534 40562->40552 40563->40552 40590 41493c EnumResourceNamesW 37546 4287c1 37547 4287d2 37546->37547 37548 429ac1 37546->37548 37549 428818 37547->37549 37550 42881f 37547->37550 37564 425711 37547->37564 37563 425ad6 37548->37563 37616 415c56 11 API calls 37548->37616 37583 42013a 37549->37583 37611 420244 97 API calls 37550->37611 37555 4260dd 37610 424251 120 API calls 37555->37610 37557 4259da 37609 416760 11 API calls 37557->37609 37562 429a4d 37566 429a66 37562->37566 37567 429a9b 37562->37567 37564->37548 37564->37557 37564->37562 37565 422aeb memset memcpy memcpy 37564->37565 37569 4260a1 37564->37569 37579 4259c2 37564->37579 37582 425a38 37564->37582 37599 4227f0 memset memcpy 37564->37599 37600 422b84 15 API calls 37564->37600 37601 422b5d memset memcpy memcpy 37564->37601 37602 422640 13 API calls 37564->37602 37604 4241fc 11 API calls 37564->37604 37605 42413a 90 API calls 37564->37605 37565->37564 37612 415c56 11 API calls 37566->37612 37571 429a96 37567->37571 37614 416760 11 API calls 37567->37614 37608 415c56 11 API calls 37569->37608 37615 424251 120 API calls 37571->37615 37574 429a7a 37613 416760 11 API calls 37574->37613 37579->37563 37603 415c56 11 API calls 37579->37603 37582->37579 37606 422640 13 API calls 37582->37606 37607 4226e0 12 API calls 37582->37607 37584 42014c 37583->37584 37587 420151 37583->37587 37626 41e466 97 API calls 37584->37626 37586 420162 37586->37564 37587->37586 37588 4201b3 37587->37588 37589 420229 37587->37589 37590 4201b8 37588->37590 37591 4201dc 37588->37591 37589->37586 37592 41fd5e 86 API calls 37589->37592 37617 41fbdb 37590->37617 37591->37586 37595 4201ff 37591->37595 37623 41fc4c 37591->37623 37592->37586 37595->37586 37598 42013a 97 API calls 37595->37598 37598->37586 37599->37564 37600->37564 37601->37564 37602->37564 37603->37557 37604->37564 37605->37564 37606->37582 37607->37582 37608->37557 37609->37555 37610->37563 37611->37564 37612->37574 37613->37571 37614->37571 37615->37548 37616->37557 37618 41fbf8 37617->37618 37621 41fbf1 37617->37621 37631 41ee26 37618->37631 37622 41fc39 37621->37622 37641 4446ce 11 API calls 37621->37641 37622->37586 37627 41fd5e 37622->37627 37624 41ee6b 86 API calls 37623->37624 37625 41fc5d 37624->37625 37625->37591 37626->37587 37629 41fd65 37627->37629 37628 41fdab 37628->37586 37629->37628 37630 41fbdb 86 API calls 37629->37630 37630->37629 37632 41ee41 37631->37632 37633 41ee32 37631->37633 37642 41edad 37632->37642 37645 4446ce 11 API calls 37633->37645 37636 41ee3c 37636->37621 37639 41ee58 37639->37636 37647 41ee6b 37639->37647 37641->37622 37651 41be52 37642->37651 37645->37636 37646 41eb85 11 API calls 37646->37639 37648 41ee70 37647->37648 37649 41ee78 37647->37649 37707 41bf99 86 API calls 37648->37707 37649->37636 37652 41be6f 37651->37652 37653 41be5f 37651->37653 37658 41be8c 37652->37658 37672 418c63 37652->37672 37686 4446ce 11 API calls 37653->37686 37656 41be69 37656->37636 37656->37646 37658->37656 37659 41bf3a 37658->37659 37660 41bed1 37658->37660 37663 41bee7 37658->37663 37689 4446ce 11 API calls 37659->37689 37662 41bef0 37660->37662 37666 41bee2 37660->37666 37662->37663 37664 41bf01 37662->37664 37663->37656 37690 41a453 86 API calls 37663->37690 37665 41bf24 memset 37664->37665 37670 41bf14 37664->37670 37687 418a6d memset memcpy memset 37664->37687 37665->37656 37676 41ac13 37666->37676 37688 41a223 memset memcpy memset 37670->37688 37671 41bf20 37671->37665 37675 418c72 37672->37675 37673 418c94 37673->37658 37674 418d51 memset memset 37674->37673 37675->37673 37675->37674 37677 41ac52 37676->37677 37678 41ac3f memset 37676->37678 37680 41ac6a 37677->37680 37691 41dc14 19 API calls 37677->37691 37683 41acd9 37678->37683 37682 41aca1 37680->37682 37692 41519d 37680->37692 37682->37683 37684 41acc0 memset 37682->37684 37685 41accd memcpy 37682->37685 37683->37663 37684->37683 37685->37683 37686->37656 37687->37670 37688->37671 37689->37663 37691->37680 37695 4175ed 37692->37695 37703 417570 SetFilePointer 37695->37703 37698 41760a ReadFile 37699 417637 37698->37699 37700 417627 GetLastError 37698->37700 37701 41763e memset 37699->37701 37702 4151b3 37699->37702 37700->37702 37701->37702 37702->37682 37704 4175b2 37703->37704 37705 41759c GetLastError 37703->37705 37704->37698 37704->37702 37705->37704 37706 4175a8 GetLastError 37705->37706 37706->37704 37707->37649 37708 417bc5 37709 417c61 37708->37709 37710 417bda 37708->37710 37710->37709 37711 417bf6 UnmapViewOfFile CloseHandle 37710->37711 37713 417c2c 37710->37713 37715 4175b7 37710->37715 37711->37710 37711->37711 37713->37710 37720 41851e 20 API calls 37713->37720 37716 4175d6 CloseHandle 37715->37716 37717 4175c8 37716->37717 37718 4175df 37716->37718 37717->37718 37719 4175ce Sleep 37717->37719 37718->37710 37719->37716 37720->37713 37727 4415ea 37735 4304b2 37727->37735 37729 4415fe 37730 4418ea 37729->37730 37731 442bd4 37729->37731 37732 4418e2 37729->37732 37731->37730 37783 441409 memset 37731->37783 37732->37730 37782 4414a9 12 API calls 37732->37782 37784 43041c 12 API calls 37735->37784 37737 4304cd 37742 430557 37737->37742 37785 43034a 37737->37785 37739 4304f3 37739->37742 37789 430468 11 API calls 37739->37789 37741 430506 37741->37742 37743 43057b 37741->37743 37790 43817e 37741->37790 37742->37729 37795 415a91 37743->37795 37748 4305e4 37748->37742 37800 4328e4 12 API calls 37748->37800 37750 43052d 37750->37742 37750->37743 37753 430542 37750->37753 37752 4305fa 37754 430609 37752->37754 37801 423383 11 API calls 37752->37801 37753->37742 37794 4169a7 11 API calls 37753->37794 37802 423330 11 API calls 37754->37802 37757 430634 37803 423399 11 API calls 37757->37803 37759 430648 37804 4233ae 11 API calls 37759->37804 37761 43066b 37805 423330 11 API calls 37761->37805 37763 43067d 37806 4233ae 11 API calls 37763->37806 37765 430695 37807 423330 11 API calls 37765->37807 37767 4306d6 37809 423330 11 API calls 37767->37809 37768 4306a7 37768->37767 37769 4306c0 37768->37769 37808 4233ae 11 API calls 37769->37808 37772 4306d1 37810 430369 17 API calls 37772->37810 37774 4306f3 37811 423330 11 API calls 37774->37811 37776 430704 37812 423330 11 API calls 37776->37812 37778 430710 37813 423330 11 API calls 37778->37813 37780 43071e 37814 423383 11 API calls 37780->37814 37782->37730 37783->37731 37784->37737 37786 43034e 37785->37786 37788 430359 37785->37788 37815 415c23 memcpy 37786->37815 37788->37739 37789->37741 37791 438187 37790->37791 37793 438192 37790->37793 37816 4380f6 37791->37816 37793->37750 37794->37742 37796 415a9d 37795->37796 37797 415ab3 37796->37797 37798 415aa4 memset 37796->37798 37797->37742 37799 4397fd memset 37797->37799 37798->37797 37799->37748 37800->37752 37801->37754 37802->37757 37803->37759 37804->37761 37805->37763 37806->37765 37807->37768 37808->37772 37809->37772 37810->37774 37811->37776 37812->37778 37813->37780 37814->37742 37815->37788 37818 43811f 37816->37818 37817 438164 37817->37793 37818->37817 37821 437e5e 37818->37821 37844 4300e8 37818->37844 37852 437d3c 37821->37852 37823 437eb3 37823->37818 37824 437ea9 37824->37823 37829 437f22 37824->37829 37867 41f432 37824->37867 37827 437f06 37917 415c56 11 API calls 37827->37917 37831 437f7f 37829->37831 37918 432d4e 37829->37918 37830 437f95 37922 415c56 11 API calls 37830->37922 37831->37830 37833 43802b 37831->37833 37878 4165ff 37833->37878 37835 437fa3 37835->37823 37924 41f638 104 API calls 37835->37924 37840 43806b 37841 438094 37840->37841 37923 42f50e 138 API calls 37840->37923 37841->37835 37843 4300e8 3 API calls 37841->37843 37843->37835 37845 430128 37844->37845 37848 4300fa 37844->37848 37847 430196 memset 37845->37847 37849 4301bc 37847->37849 37851 4301de 37847->37851 37848->37845 37848->37851 38331 432f8c 37848->38331 37850 4301c9 memcpy 37849->37850 37849->37851 37850->37851 37851->37818 37853 437d69 37852->37853 37856 437d80 37852->37856 37937 437ccb 11 API calls 37853->37937 37855 437d76 37855->37824 37856->37855 37857 437da3 37856->37857 37859 437d90 37856->37859 37925 438460 37857->37925 37859->37855 37941 437ccb 11 API calls 37859->37941 37861 437de8 37940 424f26 123 API calls 37861->37940 37863 437dcb 37863->37861 37938 444283 13 API calls 37863->37938 37865 437dfc 37939 437ccb 11 API calls 37865->37939 37868 41f54d 37867->37868 37872 41f44f 37867->37872 37869 41f466 37868->37869 38135 41c635 memset memset 37868->38135 37869->37827 37869->37829 37872->37869 37876 41f50b 37872->37876 38106 41f1a5 37872->38106 38131 41c06f memcmp 37872->38131 38132 41f3b1 90 API calls 37872->38132 38133 41f398 86 API calls 37872->38133 37876->37868 37876->37869 38134 41c295 86 API calls 37876->38134 37879 4165a0 11 API calls 37878->37879 37880 41660d 37879->37880 37881 437371 37880->37881 37882 41703f 11 API calls 37881->37882 37883 437399 37882->37883 37884 43739d 37883->37884 37886 4373ac 37883->37886 38240 4446ea 11 API calls 37884->38240 37887 416935 16 API calls 37886->37887 37903 4373ca 37887->37903 37888 437584 37890 4375bc 37888->37890 38247 42453e 123 API calls 37888->38247 37889 438460 134 API calls 37889->37903 37892 415c7d 16 API calls 37890->37892 37893 4375d2 37892->37893 37897 4373a7 37893->37897 38248 4442e6 37893->38248 37896 4375e2 37896->37897 38255 444283 13 API calls 37896->38255 37897->37840 37899 415a91 memset 37899->37903 37902 43758f 38246 42453e 123 API calls 37902->38246 37903->37888 37903->37889 37903->37899 37903->37902 37916 437d3c 135 API calls 37903->37916 38222 4251c4 37903->38222 38241 425433 13 API calls 37903->38241 38242 425413 17 API calls 37903->38242 38243 42533e 16 API calls 37903->38243 38244 42538f 16 API calls 37903->38244 38245 42453e 123 API calls 37903->38245 37906 4375f4 37910 437620 37906->37910 37911 43760b 37906->37911 37908 43759f 37909 416935 16 API calls 37908->37909 37909->37888 37912 416935 16 API calls 37910->37912 38256 444283 13 API calls 37911->38256 37912->37897 37915 437612 memcpy 37915->37897 37916->37903 37917->37823 37919 432d58 37918->37919 37921 432d65 37918->37921 38330 432cc4 memset memset memcpy 37919->38330 37921->37831 37922->37835 37923->37841 37924->37823 37942 41703f 37925->37942 37927 43847a 37928 43848a 37927->37928 37929 43847e 37927->37929 37949 438270 37928->37949 37979 4446ea 11 API calls 37929->37979 37933 438488 37933->37863 37935 4384bb 37936 438270 134 API calls 37935->37936 37936->37933 37937->37855 37938->37865 37939->37861 37940->37855 37941->37855 37943 417044 37942->37943 37944 41705c 37942->37944 37948 417055 37943->37948 37981 416760 11 API calls 37943->37981 37945 417075 37944->37945 37982 41707a 37944->37982 37945->37927 37948->37927 37950 415a91 memset 37949->37950 37951 43828d 37950->37951 37952 438297 37951->37952 37953 438341 37951->37953 37955 4382d6 37951->37955 37954 415c7d 16 API calls 37952->37954 37988 44358f 37953->37988 37957 438458 37954->37957 37958 4382fb 37955->37958 37959 4382db 37955->37959 37957->37933 37980 424f26 123 API calls 37957->37980 38031 415c23 memcpy 37958->38031 38019 416935 37959->38019 37962 438305 37966 44358f 19 API calls 37962->37966 37968 438318 37962->37968 37963 4382e9 38027 415c7d 37963->38027 37965 438373 37969 4300e8 3 API calls 37965->37969 37971 438383 37965->37971 37966->37968 37968->37965 38014 43819e 37968->38014 37969->37971 37970 4383cd 37972 4383f5 37970->37972 38033 42453e 123 API calls 37970->38033 37971->37970 38032 415c23 memcpy 37971->38032 37975 438404 37972->37975 37976 43841c 37972->37976 37978 416935 16 API calls 37975->37978 37977 416935 16 API calls 37976->37977 37977->37952 37978->37952 37979->37933 37980->37935 37981->37948 37983 417085 37982->37983 37984 4170ab 37982->37984 37983->37984 37987 416760 11 API calls 37983->37987 37984->37943 37986 4170a4 37986->37943 37987->37986 37989 4435be 37988->37989 37990 44360c 37989->37990 37992 443676 37989->37992 37995 4436ce 37989->37995 37999 44366c 37989->37999 38034 442ff8 37989->38034 37990->37968 37991 443758 38004 443775 37991->38004 38043 441409 memset 37991->38043 37992->37991 37994 443737 37992->37994 37996 442ff8 19 API calls 37992->37996 37997 442ff8 19 API calls 37994->37997 38001 4165ff 11 API calls 37995->38001 37996->37994 37997->37991 38042 4169a7 11 API calls 37999->38042 38000 4437be 38005 4437de 38000->38005 38045 416760 11 API calls 38000->38045 38001->37992 38004->38000 38044 415c56 11 API calls 38004->38044 38008 443801 38005->38008 38046 42463b memset memcpy 38005->38046 38007 443826 38057 43bd08 memset 38007->38057 38008->38007 38047 43024d 38008->38047 38012 443837 38012->37990 38013 43024d memset 38012->38013 38013->38012 38015 438246 38014->38015 38017 4381ba 38014->38017 38015->37965 38016 41f432 110 API calls 38016->38017 38017->38015 38017->38016 38084 41f638 104 API calls 38017->38084 38020 41693e 38019->38020 38023 41698e 38019->38023 38021 41694c 38020->38021 38085 422fd1 memset 38020->38085 38021->38023 38086 4165a0 38021->38086 38023->37963 38028 415c81 38027->38028 38029 415c9c 38027->38029 38028->38029 38030 416935 16 API calls 38028->38030 38029->37952 38030->38029 38031->37962 38032->37970 38033->37972 38035 442ffe 38034->38035 38036 443094 38035->38036 38038 443092 38035->38038 38058 4414ff 38035->38058 38070 4169a7 11 API calls 38035->38070 38071 441325 memset 38035->38071 38072 4414a9 12 API calls 38036->38072 38038->37989 38042->37992 38043->37991 38044->38000 38045->38005 38046->38008 38048 4302f9 38047->38048 38053 43025c 38047->38053 38048->38007 38049 4302cd 38073 435ef3 38049->38073 38053->38048 38053->38049 38082 4172c8 memset 38053->38082 38055 4302dc 38083 4386af memset 38055->38083 38057->38012 38059 441539 38058->38059 38060 441547 38058->38060 38059->38060 38061 441575 38059->38061 38062 441582 38059->38062 38063 4418e2 38060->38063 38069 442bd4 38060->38069 38065 42fccf 18 API calls 38061->38065 38064 43275a 12 API calls 38062->38064 38066 4414a9 12 API calls 38063->38066 38067 4418ea 38063->38067 38064->38060 38065->38060 38066->38067 38067->38035 38068 441409 memset 38068->38069 38069->38067 38069->38068 38070->38035 38071->38035 38072->38038 38075 435f03 38073->38075 38077 4302d4 38073->38077 38074 435533 memset 38074->38075 38075->38074 38076 4172c8 memset 38075->38076 38075->38077 38076->38075 38078 4301e7 38077->38078 38079 43023c 38078->38079 38081 4301f5 38078->38081 38079->38055 38080 42b896 memset 38080->38081 38081->38079 38081->38080 38082->38053 38083->38048 38084->38017 38085->38021 38092 415cfe 38086->38092 38091 422b84 15 API calls 38091->38023 38093 41628e 38092->38093 38098 415d23 __aullrem __aulldvrm 38092->38098 38100 416520 38093->38100 38094 4163ca 38095 416422 10 API calls 38094->38095 38095->38093 38096 416422 10 API calls 38096->38098 38097 416172 memset 38097->38098 38098->38093 38098->38094 38098->38096 38098->38097 38099 415cb9 10 API calls 38098->38099 38099->38098 38101 416527 38100->38101 38105 416574 38100->38105 38102 415700 10 API calls 38101->38102 38103 416544 38101->38103 38101->38105 38102->38103 38104 416561 memcpy 38103->38104 38103->38105 38104->38105 38105->38023 38105->38091 38136 41bc3b 38106->38136 38109 41edad 86 API calls 38110 41f1cb 38109->38110 38111 41f1f5 memcmp 38110->38111 38112 41f20e 38110->38112 38116 41f282 38110->38116 38111->38112 38113 41f21b memcmp 38112->38113 38112->38116 38114 41f326 38113->38114 38117 41f23d 38113->38117 38115 41ee6b 86 API calls 38114->38115 38114->38116 38115->38116 38116->37872 38117->38114 38118 41f28e memcmp 38117->38118 38160 41c8df 56 API calls 38117->38160 38118->38114 38119 41f2a9 38118->38119 38119->38114 38122 41f308 38119->38122 38123 41f2d8 38119->38123 38121 41f269 38121->38114 38124 41f287 38121->38124 38125 41f27a 38121->38125 38122->38114 38162 4446ce 11 API calls 38122->38162 38126 41ee6b 86 API calls 38123->38126 38124->38118 38127 41ee6b 86 API calls 38125->38127 38128 41f2e0 38126->38128 38127->38116 38161 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38128->38161 38131->37872 38132->37872 38133->37872 38134->37868 38135->37869 38138 41bc54 38136->38138 38145 41be0b 38136->38145 38141 41bd61 38138->38141 38138->38145 38153 41bc8d 38138->38153 38163 41baf0 55 API calls 38138->38163 38140 41be45 38140->38109 38140->38116 38141->38140 38172 41a25f memset 38141->38172 38143 41be04 38170 41aee4 56 API calls 38143->38170 38145->38141 38171 41ae17 34 API calls 38145->38171 38146 41bd42 38146->38141 38146->38143 38147 41bdd8 memset 38146->38147 38148 41bdba 38146->38148 38149 41bde7 memcmp 38147->38149 38159 4175ed 6 API calls 38148->38159 38149->38143 38152 41bdfd 38149->38152 38150 41bd18 38150->38141 38150->38146 38168 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38150->38168 38151 41bdcc 38151->38141 38151->38149 38169 41a1b0 memset 38152->38169 38153->38141 38153->38146 38153->38150 38164 4151e3 38153->38164 38159->38151 38160->38121 38161->38116 38162->38114 38163->38153 38173 41837f 38164->38173 38167 444706 11 API calls 38167->38150 38168->38146 38169->38143 38170->38145 38171->38141 38172->38140 38174 4183c1 38173->38174 38177 4183ca 38173->38177 38220 418197 25 API calls 38174->38220 38178 4151f9 38177->38178 38194 418160 38177->38194 38178->38150 38178->38167 38179 4183e5 38179->38178 38203 41739b 38179->38203 38182 418444 CreateFileW 38184 418477 38182->38184 38183 41845f CreateFileA 38183->38184 38185 4184c2 memset 38184->38185 38186 41847e GetLastError free 38184->38186 38206 418758 38185->38206 38187 4184b5 38186->38187 38188 418497 38186->38188 38221 444706 11 API calls 38187->38221 38190 41837f 49 API calls 38188->38190 38190->38178 38195 41739b GetVersionExW 38194->38195 38196 418165 38195->38196 38198 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 38196->38198 38199 418178 38198->38199 38200 41817f 38199->38200 38201 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 38199->38201 38200->38179 38202 418188 free 38201->38202 38202->38179 38204 4173d6 38203->38204 38205 4173ad GetVersionExW 38203->38205 38204->38182 38204->38183 38205->38204 38207 418680 43 API calls 38206->38207 38208 418782 38207->38208 38209 418160 11 API calls 38208->38209 38211 418506 free 38208->38211 38210 418799 38209->38210 38210->38211 38212 41739b GetVersionExW 38210->38212 38211->38178 38213 4187a7 38212->38213 38214 4187da 38213->38214 38215 4187ad GetDiskFreeSpaceW 38213->38215 38217 4187ec GetDiskFreeSpaceA 38214->38217 38219 4187e8 38214->38219 38218 418800 free 38215->38218 38217->38218 38218->38211 38219->38217 38220->38177 38221->38178 38257 424f07 38222->38257 38224 4251e4 38225 4251f7 38224->38225 38226 4251e8 38224->38226 38265 4250f8 38225->38265 38264 4446ea 11 API calls 38226->38264 38228 4251f2 38228->37903 38230 425209 38233 425249 38230->38233 38236 4250f8 127 API calls 38230->38236 38237 425287 38230->38237 38273 4384e9 135 API calls 38230->38273 38274 424f74 124 API calls 38230->38274 38231 415c7d 16 API calls 38231->38228 38233->38237 38275 424ff0 13 API calls 38233->38275 38236->38230 38237->38231 38238 425266 38238->38237 38276 415be9 memcpy 38238->38276 38240->37897 38241->37903 38242->37903 38243->37903 38244->37903 38245->37903 38246->37908 38247->37890 38249 4442eb 38248->38249 38252 444303 38248->38252 38250 41707a 11 API calls 38249->38250 38251 4442f2 38250->38251 38251->38252 38329 4446ea 11 API calls 38251->38329 38252->37896 38254 444300 38254->37896 38255->37906 38256->37915 38258 424f1f 38257->38258 38259 424f0c 38257->38259 38278 424eea 11 API calls 38258->38278 38277 416760 11 API calls 38259->38277 38262 424f18 38262->38224 38263 424f24 38263->38224 38264->38228 38266 425108 38265->38266 38272 42510d 38265->38272 38311 424f74 124 API calls 38266->38311 38269 42516e 38271 415c7d 16 API calls 38269->38271 38270 425115 38270->38230 38271->38270 38272->38270 38279 42569b 38272->38279 38273->38230 38274->38230 38275->38238 38276->38237 38277->38262 38278->38263 38289 4256f1 38279->38289 38307 4259c2 38279->38307 38284 4260dd 38323 424251 120 API calls 38284->38323 38288 429a4d 38291 429a66 38288->38291 38292 429a9b 38288->38292 38289->38288 38290 422aeb memset memcpy memcpy 38289->38290 38294 4260a1 38289->38294 38303 4259da 38289->38303 38305 429ac1 38289->38305 38289->38307 38310 425a38 38289->38310 38312 4227f0 memset memcpy 38289->38312 38313 422b84 15 API calls 38289->38313 38314 422b5d memset memcpy memcpy 38289->38314 38315 422640 13 API calls 38289->38315 38317 4241fc 11 API calls 38289->38317 38318 42413a 90 API calls 38289->38318 38290->38289 38324 415c56 11 API calls 38291->38324 38296 429a96 38292->38296 38326 416760 11 API calls 38292->38326 38321 415c56 11 API calls 38294->38321 38327 424251 120 API calls 38296->38327 38299 429a7a 38325 416760 11 API calls 38299->38325 38322 416760 11 API calls 38303->38322 38306 425ad6 38305->38306 38328 415c56 11 API calls 38305->38328 38306->38269 38307->38306 38316 415c56 11 API calls 38307->38316 38310->38307 38319 422640 13 API calls 38310->38319 38320 4226e0 12 API calls 38310->38320 38311->38272 38312->38289 38313->38289 38314->38289 38315->38289 38316->38303 38317->38289 38318->38289 38319->38310 38320->38310 38321->38303 38322->38284 38323->38306 38324->38299 38325->38296 38326->38296 38327->38305 38328->38303 38329->38254 38330->37921 38332 432fc6 38331->38332 38334 432fdd 38332->38334 38337 43bd08 memset 38332->38337 38335 43024d memset 38334->38335 38336 43300e 38334->38336 38335->38334 38336->37848 38337->38332 40215 4147f3 40218 414561 40215->40218 40217 414813 40219 41456d 40218->40219 40220 41457f GetPrivateProfileIntW 40218->40220 40223 4143f1 memset _itow WritePrivateProfileStringW 40219->40223 40220->40217 40222 41457a 40222->40217 40223->40222

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                            • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                            • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                            • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                            • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                            • API String ID: 708747863-3398334509
                                                                                                                                                                            • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                            • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                            Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                              • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                            • free.MSVCRT ref: 00418803
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1355100292-0
                                                                                                                                                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                            Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$FirstNext
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1690352074-0
                                                                                                                                                                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                            Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0041898C
                                                                                                                                                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoSystemmemset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3558857096-0
                                                                                                                                                                            • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                            • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                            Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 43 44558e-445594 call 444b06 4->43 44 44557e-44558c call 4136c0 call 41366b 4->44 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 46 445823-445826 14->46 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 58 445879-44587c 18->58 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 38 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->38 39 445b29-445b32 28->39 145 4459d0-4459e8 call 40b6ef 29->145 146 4459ed 29->146 30->21 42 445609-44560d 30->42 31->30 182 445b08-445b15 call 40ae51 38->182 47 445c7c-445c85 39->47 48 445b38-445b96 memset * 3 39->48 42->21 56 44560f-445641 call 4087b3 call 40a889 call 4454bf 42->56 43->3 44->43 49 44584c-445854 call 40b1ab 46->49 50 445828 46->50 70 445d1c-445d25 47->70 71 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 47->71 63 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 48->63 64 445b98-445ba0 48->64 49->13 65 44582e-445847 call 40a9b5 call 4087b3 50->65 156 445665-445670 call 40b1ab 56->156 157 445643-445663 call 40a9b5 call 4087b3 56->157 61 4458a2-4458aa call 40b1ab 58->61 62 44587e 58->62 61->19 75 445884-44589d call 40a9b5 call 4087b3 62->75 249 445c77 63->249 64->63 76 445ba2-445bcf call 4099c6 call 445403 call 445389 64->76 143 445849 65->143 82 445fae-445fb2 70->82 83 445d2b-445d3b 70->83 160 445cf5 71->160 161 445cfc-445d03 71->161 148 44589f 75->148 76->47 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 109 4456ba-4456c4 78->109 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 196 445e17 99->196 197 445e1e-445e25 99->197 122 4457f9 109->122 123 4456ca-4456d3 call 413cfa call 413d4c 109->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 140->141 141->23 143->49 145->146 146->28 148->61 150->78 150->93 156->109 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->70 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 196->197 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->198 199 445e6b-445e7e call 445093 197->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->39 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 253 445f9b 220->253 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->47 253->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 004455C2
                                                                                                                                                                            • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                            • memset.MSVCRT ref: 0044570D
                                                                                                                                                                            • memset.MSVCRT ref: 00445725
                                                                                                                                                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                              • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                              • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                            • memset.MSVCRT ref: 0044573D
                                                                                                                                                                            • memset.MSVCRT ref: 00445755
                                                                                                                                                                            • memset.MSVCRT ref: 004458CB
                                                                                                                                                                            • memset.MSVCRT ref: 004458E3
                                                                                                                                                                            • memset.MSVCRT ref: 0044596E
                                                                                                                                                                            • memset.MSVCRT ref: 00445A10
                                                                                                                                                                            • memset.MSVCRT ref: 00445A28
                                                                                                                                                                            • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                            • memset.MSVCRT ref: 00445B52
                                                                                                                                                                            • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                            • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                            • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                            • memset.MSVCRT ref: 00445B82
                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                            • memset.MSVCRT ref: 00445986
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                            • API String ID: 2263259095-3798722523
                                                                                                                                                                            • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                            • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                            Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                            • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                            • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                            • API String ID: 2744995895-28296030
                                                                                                                                                                            • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                            • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                            Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                            • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                            • memset.MSVCRT ref: 0040B756
                                                                                                                                                                            • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                            • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                            • memset.MSVCRT ref: 0040B851
                                                                                                                                                                            • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                            • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                                                                                            • String ID: chp$v10
                                                                                                                                                                            • API String ID: 4165125987-2783969131
                                                                                                                                                                            • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                            • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                            Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 530 40e497-40e49f free 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 553 40e3c3-40e3c6 550->553 551->552 554 40e416-40e427 memcpy 552->554 555 40e42a-40e42f 552->555 553->541 554->555 556 40e431-40e442 memcpy 555->556 557 40e445-40e44a 555->557 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                            • free.MSVCRT ref: 0040E49A
                                                                                                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                            • memset.MSVCRT ref: 0040E380
                                                                                                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                            • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E407
                                                                                                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E422
                                                                                                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E43D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                            • API String ID: 3849927982-2252543386
                                                                                                                                                                            • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                            • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                            Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 004091E2
                                                                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                            • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                            • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                            • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                                                            • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                            • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3715365532-3916222277
                                                                                                                                                                            • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                            • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                            Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 free 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 658 413e6a-413e76 654->658 655->654 660 413e46-413e5c GetProcAddress 655->660 656->657 657->638 658->650 660->654 662->641
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                                                                            • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                            • memset.MSVCRT ref: 00413E07
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                                            • free.MSVCRT ref: 00413EC1
                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                            • API String ID: 1344430650-1740548384
                                                                                                                                                                            • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                            • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                            Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                              • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                            • String ID: bhv
                                                                                                                                                                            • API String ID: 4234240956-2689659898
                                                                                                                                                                            • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                            • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                            Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                            • API String ID: 2941347001-70141382
                                                                                                                                                                            • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                            • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                            • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                            • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                            Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 702 44671d-446726 699->702 701 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->701 711 4467ac-4467b7 __setusermatherr 701->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 701->712 704 446747-44674b 702->704 705 446728-44672d 702->705 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 710 446755-446758 706->710 708->700 709 44673d-446745 708->709 709->710 710->701 711->712 715 446810-446819 712->715 716 44681e-446825 712->716 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 723 446834-446838 718->723 724 44683a-44683e 718->724 721 446845-44684b 719->721 722 446872-446877 719->722 727 446853-446864 GetStartupInfoW 721->727 728 44684d-446851 721->728 722->719 723->718 723->724 724->721 726 446840-446842 724->726 726->721 729 446866-44686a 727->729 730 446879-44687b 727->730 728->726 728->727 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2827331108-0
                                                                                                                                                                            • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                            • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                            • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                            • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                            Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040C298
                                                                                                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                            • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                            • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                                            • String ID: visited:
                                                                                                                                                                            • API String ID: 1157525455-1702587658
                                                                                                                                                                            • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                            • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                            Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 free 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                            • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                            • free.MSVCRT ref: 0040E28B
                                                                                                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                            • API String ID: 2804212203-2982631422
                                                                                                                                                                            • Opcode ID: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                                                                                                                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                            • Opcode Fuzzy Hash: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                                                                                                                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                            Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                            • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                            • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                            • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                                                                            • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 115830560-3916222277
                                                                                                                                                                            • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                            Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError free 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 free 870->877 871->870 877->855
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                            • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                            • free.MSVCRT ref: 0041848B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                            • String ID: |A
                                                                                                                                                                            • API String ID: 77810686-1717621600
                                                                                                                                                                            • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                            • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                            Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0041249C
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                                                            • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                            • String ID: r!A
                                                                                                                                                                            • API String ID: 2791114272-628097481
                                                                                                                                                                            • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                            • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                            Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                            • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                            • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                            • API String ID: 2936932814-4196376884
                                                                                                                                                                            • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                            Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                            • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                            • String ID: BIN
                                                                                                                                                                            • API String ID: 1668488027-1015027815
                                                                                                                                                                            • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                            • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                            Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                            • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                            • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                            • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                            • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                            • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                            • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                            • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                            • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 697348961-0
                                                                                                                                                                            • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                            • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                            • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                            • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                            Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                            • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                            • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                            • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                            • memset.MSVCRT ref: 00403D13
                                                                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                            • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                            • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                            • API String ID: 3527940856-11920434
                                                                                                                                                                            • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                            • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                            Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 00403E50
                                                                                                                                                                            • memset.MSVCRT ref: 00403E65
                                                                                                                                                                            • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                            • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                            • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                            • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                            • API String ID: 3527940856-2068335096
                                                                                                                                                                            • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                            • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                            Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                            • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                            • memset.MSVCRT ref: 0040400B
                                                                                                                                                                            • memset.MSVCRT ref: 00404020
                                                                                                                                                                            • memset.MSVCRT ref: 00404035
                                                                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                            • memset.MSVCRT ref: 004040FC
                                                                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                            • API String ID: 3527940856-3369679110
                                                                                                                                                                            • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                            • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                            Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpy
                                                                                                                                                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                            • API String ID: 3510742995-2641926074
                                                                                                                                                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                            Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                            • memset.MSVCRT ref: 004033B7
                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                            • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                            • String ID: $0.@
                                                                                                                                                                            • API String ID: 2758756878-1896041820
                                                                                                                                                                            • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                            • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                            Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2941347001-0
                                                                                                                                                                            • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                            • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                            Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 00403C09
                                                                                                                                                                            • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                            • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                            • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                                                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                            • API String ID: 3249829328-1174173950
                                                                                                                                                                            • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                            • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                            Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040A824
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                            • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 669240632-0
                                                                                                                                                                            • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                            • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                            Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                            • String ID: "%s"
                                                                                                                                                                            • API String ID: 1343145685-3297466227
                                                                                                                                                                            • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                            • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                            Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                            • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                            • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                            • API String ID: 1714573020-3385500049
                                                                                                                                                                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                            Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 004087D6
                                                                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                            • memset.MSVCRT ref: 00408828
                                                                                                                                                                            • memset.MSVCRT ref: 00408840
                                                                                                                                                                            • memset.MSVCRT ref: 00408858
                                                                                                                                                                            • memset.MSVCRT ref: 00408870
                                                                                                                                                                            • memset.MSVCRT ref: 00408888
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2911713577-0
                                                                                                                                                                            • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                            • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                            Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcmp
                                                                                                                                                                            • String ID: @ $SQLite format 3
                                                                                                                                                                            • API String ID: 1475443563-3708268960
                                                                                                                                                                            • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                            • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                            Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                            • memset.MSVCRT ref: 00414C87
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                            • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                            Strings
                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                            • API String ID: 2705122986-2036018995
                                                                                                                                                                            • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                            • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                            Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcsicmpqsort
                                                                                                                                                                            • String ID: /nosort$/sort
                                                                                                                                                                            • API String ID: 1579243037-1578091866
                                                                                                                                                                            • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                            • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                            Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                            • memset.MSVCRT ref: 0040E629
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                            Strings
                                                                                                                                                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                            • API String ID: 3354267031-2114579845
                                                                                                                                                                            • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                            • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                            Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3473537107-0
                                                                                                                                                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                            Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ??3@
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 613200358-0
                                                                                                                                                                            • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                            • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                            • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                            • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                            Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset
                                                                                                                                                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                            • API String ID: 2221118986-1725073988
                                                                                                                                                                            • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                            • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                            Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ??3@DeleteObject
                                                                                                                                                                            • String ID: r!A
                                                                                                                                                                            • API String ID: 1103273653-628097481
                                                                                                                                                                            • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                            • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                            Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ??2@
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1033339047-0
                                                                                                                                                                            • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                            • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                            Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                            • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$memcmp
                                                                                                                                                                            • String ID: $$8
                                                                                                                                                                            • API String ID: 2808797137-435121686
                                                                                                                                                                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                            Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • duplicate column name: %s, xrefs: 004307FE
                                                                                                                                                                            • too many columns on %s, xrefs: 00430763
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: duplicate column name: %s$too many columns on %s
                                                                                                                                                                            • API String ID: 0-1445880494
                                                                                                                                                                            • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                                                                            • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                                                                                            • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                                                                            • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                                                                                            Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                              • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                            • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                              • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1979745280-0
                                                                                                                                                                            • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                            • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                            Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                            • memset.MSVCRT ref: 00403A55
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                            • String ID: history.dat$places.sqlite
                                                                                                                                                                            • API String ID: 2641622041-467022611
                                                                                                                                                                            • Opcode ID: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                                                                                                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                                                                                                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                            Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 839530781-0
                                                                                                                                                                            • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                            • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                            Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                                                            • String ID: *.*$index.dat
                                                                                                                                                                            • API String ID: 1974802433-2863569691
                                                                                                                                                                            • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                            • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                            Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1156039329-0
                                                                                                                                                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                            Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3397143404-0
                                                                                                                                                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                            Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                            • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1125800050-0
                                                                                                                                                                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                            Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                            • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandleSleep
                                                                                                                                                                            • String ID: }A
                                                                                                                                                                            • API String ID: 252777609-2138825249
                                                                                                                                                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                            Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                            • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                            • free.MSVCRT ref: 00409A31
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: freemallocmemcpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3056473165-0
                                                                                                                                                                            • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                            • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                            Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            • failed memory resize %u to %u bytes, xrefs: 00415358
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: realloc
                                                                                                                                                                            • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                            • API String ID: 471065373-2134078882
                                                                                                                                                                            • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                                                                                                                                            • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                                                                                                                                                            • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                                                                                                                                            • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                                                                                                                                                            Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: d
                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                            • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                            • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                            Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset
                                                                                                                                                                            • String ID: BINARY
                                                                                                                                                                            • API String ID: 2221118986-907554435
                                                                                                                                                                            • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                            • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                            Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcsicmp
                                                                                                                                                                            • String ID: /stext
                                                                                                                                                                            • API String ID: 2081463915-3817206916
                                                                                                                                                                            • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                            • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                            Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2445788494-0
                                                                                                                                                                            • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                            • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                            Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3150196962-0
                                                                                                                                                                            • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                            • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                            Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: malloc
                                                                                                                                                                            • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                            • API String ID: 2803490479-1168259600
                                                                                                                                                                            • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                            • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                            • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                            Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0041BDDF
                                                                                                                                                                            • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcmpmemset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1065087418-0
                                                                                                                                                                            • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                            • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                            Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                              • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                              • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1381354015-0
                                                                                                                                                                            • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                            • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                            Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2221118986-0
                                                                                                                                                                            • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                            • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                                                            • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                            • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                                                            Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 004301AD
                                                                                                                                                                            • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpymemset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1297977491-0
                                                                                                                                                                            • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                            • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                            • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                            • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                            Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                            Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                              • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2154303073-0
                                                                                                                                                                            • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                            • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                            Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3150196962-0
                                                                                                                                                                            • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                            • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                            Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$PointerRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3154509469-0
                                                                                                                                                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                            Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4232544981-0
                                                                                                                                                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                            Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                            Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$FileModuleName
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3859505661-0
                                                                                                                                                                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                            Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                            Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                            Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                            • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                            Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                            Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                            Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ??3@
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 613200358-0
                                                                                                                                                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                            Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                            Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EnumNamesResource
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3334572018-0
                                                                                                                                                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                            Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                            Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseFind
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1863332320-0
                                                                                                                                                                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                            Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Open
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                                                            • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                            • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                            • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                            • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                            Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                            Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                            • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                            Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 004095FC
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                              • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                              • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3655998216-0
                                                                                                                                                                            • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                            • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                            Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                                                                                                            • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                                                                                                                                                            • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                                                                                                            • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                                                                                                                                                            Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 00445426
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1828521557-0
                                                                                                                                                                            • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                            • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                            Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                              • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                            • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ??2@FilePointermemcpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 609303285-0
                                                                                                                                                                            • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                            • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                            • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                            Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcsicmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2081463915-0
                                                                                                                                                                            • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                            • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                            Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2136311172-0
                                                                                                                                                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                            Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ??2@??3@
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1936579350-0
                                                                                                                                                                            • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                            • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                            Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                                                            • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                            • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                            Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                                                            • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                            • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                            Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                                                            • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                                            • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                            • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                                            • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                            • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                            • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                            • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1213725291-0
                                                                                                                                                                            • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                            • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                            • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                            • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                            Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                            • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                            • free.MSVCRT ref: 00418370
                                                                                                                                                                              • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                              • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                            • String ID: OsError 0x%x (%u)
                                                                                                                                                                            • API String ID: 2360000266-2664311388
                                                                                                                                                                            • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                            • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                            • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                            • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                            Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Version
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1889659487-0
                                                                                                                                                                            • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                            • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                                                                            • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                            • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                                                                            Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                            • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                            • memset.MSVCRT ref: 0040265F
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                            • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                            • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                                                                            • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                            • API String ID: 577499730-1134094380
                                                                                                                                                                            • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                                            • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                            • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                                            • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                            Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                            • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                            • API String ID: 2787044678-1921111777
                                                                                                                                                                            • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                            • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                            • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                            • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                            Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                            • GetDC.USER32 ref: 004140E3
                                                                                                                                                                            • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                            • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                            • String ID: %s:$EDIT$STATIC
                                                                                                                                                                            • API String ID: 2080319088-3046471546
                                                                                                                                                                            • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                            • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                            Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                            • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                            • memset.MSVCRT ref: 00413292
                                                                                                                                                                            • memset.MSVCRT ref: 004132B4
                                                                                                                                                                            • memset.MSVCRT ref: 004132CD
                                                                                                                                                                            • memset.MSVCRT ref: 004132E1
                                                                                                                                                                            • memset.MSVCRT ref: 004132FB
                                                                                                                                                                            • memset.MSVCRT ref: 00413310
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                            • memset.MSVCRT ref: 004133C0
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                            • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                            • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                            Strings
                                                                                                                                                                            • {Unknown}, xrefs: 004132A6
                                                                                                                                                                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                            • API String ID: 4111938811-1819279800
                                                                                                                                                                            • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                            • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                            • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                            • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                            Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                            • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                            • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 829165378-0
                                                                                                                                                                            • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                            • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                            • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                            • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                            Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 00404172
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                            • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                            • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                            • memset.MSVCRT ref: 00404200
                                                                                                                                                                            • memset.MSVCRT ref: 00404215
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                            • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                            • memset.MSVCRT ref: 0040426E
                                                                                                                                                                            • memset.MSVCRT ref: 004042CD
                                                                                                                                                                            • memset.MSVCRT ref: 004042E2
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                            • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                            • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                            • API String ID: 2454223109-1580313836
                                                                                                                                                                            • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                            • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                            • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                            • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                            Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                            • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                            • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                            • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                                            • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                            • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                            • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                            • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                            • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                              • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                              • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                            • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                            • API String ID: 4054529287-3175352466
                                                                                                                                                                            • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                            • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                            • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                            • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                            Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                            • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                            • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                            • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                            • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                            • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                            • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                            • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                                                            • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                            • API String ID: 667068680-2887671607
                                                                                                                                                                            • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                            • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                            • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                            Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                            • API String ID: 2000436516-3842416460
                                                                                                                                                                            • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                            • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                            • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                            • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                            Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                              • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                              • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                              • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                            • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1043902810-0
                                                                                                                                                                            • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                            • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                            • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                            • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                            Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                            • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                            • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                            • API String ID: 2899246560-1542517562
                                                                                                                                                                            • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                            • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                            • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                            • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                            Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                            • memset.MSVCRT ref: 004085CF
                                                                                                                                                                            • memset.MSVCRT ref: 004085F1
                                                                                                                                                                            • memset.MSVCRT ref: 00408606
                                                                                                                                                                            • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                                            • memset.MSVCRT ref: 0040870E
                                                                                                                                                                            • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                            • String ID: ---
                                                                                                                                                                            • API String ID: 3437578500-2854292027
                                                                                                                                                                            • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                            • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                            • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                            • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                            Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                            • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                            • free.MSVCRT ref: 004186C7
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                            • free.MSVCRT ref: 004186E0
                                                                                                                                                                            • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                            • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                            • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                            • free.MSVCRT ref: 00418716
                                                                                                                                                                            • free.MSVCRT ref: 0041872A
                                                                                                                                                                            • free.MSVCRT ref: 00418749
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                            • String ID: |A
                                                                                                                                                                            • API String ID: 3356672799-1717621600
                                                                                                                                                                            • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                                            • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                            • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                                            • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                            Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcsicmp
                                                                                                                                                                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                            • API String ID: 2081463915-1959339147
                                                                                                                                                                            • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                            • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                            • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                            • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                            Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                            • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                            • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                            • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                            • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                              • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                              • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                              • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                            • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1700100422-0
                                                                                                                                                                            • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                            • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                            • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                            Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                            • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                            • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                            • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 552707033-0
                                                                                                                                                                            • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                            • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                            • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                            • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                            Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                              • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                            • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                            • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                            • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                            • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                            • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                            • String ID: 4$h
                                                                                                                                                                            • API String ID: 4066021378-1856150674
                                                                                                                                                                            • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                            • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                            Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$_snwprintf
                                                                                                                                                                            • String ID: %%0.%df
                                                                                                                                                                            • API String ID: 3473751417-763548558
                                                                                                                                                                            • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                            • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                            • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                            Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                            • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                            • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                            • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                            • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                            • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                            • String ID: A
                                                                                                                                                                            • API String ID: 2892645895-3554254475
                                                                                                                                                                            • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                            • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                            • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                            Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                            • String ID: 0$6
                                                                                                                                                                            • API String ID: 4066108131-3849865405
                                                                                                                                                                            • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                            • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                            • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                            • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                            Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 004082EF
                                                                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                            • memset.MSVCRT ref: 00408362
                                                                                                                                                                            • memset.MSVCRT ref: 00408377
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$ByteCharMultiWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 290601579-0
                                                                                                                                                                            • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                                                                            • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                            • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                                                                            • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                            Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040A47B
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                            • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                            • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                            • String ID: %s (%s)$YV@
                                                                                                                                                                            • API String ID: 3979103747-598926743
                                                                                                                                                                            • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                            • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                            • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                            • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                            Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                            • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                            • API String ID: 2780580303-317687271
                                                                                                                                                                            • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                            • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                            • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                            • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                            Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                            • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                            • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                            • API String ID: 2767993716-572158859
                                                                                                                                                                            • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                            • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                            • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                            • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                            Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            • out of memory, xrefs: 0042F865
                                                                                                                                                                            • database is already attached, xrefs: 0042F721
                                                                                                                                                                            • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                            • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                            • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                            • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                            • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpymemset
                                                                                                                                                                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                            • API String ID: 1297977491-2001300268
                                                                                                                                                                            • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                                                                                                            • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                            • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                                                                                                            • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                            Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                            • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                            • free.MSVCRT ref: 004185AC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2802642348-0
                                                                                                                                                                            • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                            • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                            • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                            • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                            Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                              • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                              • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                            • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                            • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                            • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                            • String ID: strings
                                                                                                                                                                            • API String ID: 3166385802-3030018805
                                                                                                                                                                            • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                            • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                            • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                            • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                            Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                                            • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                                            • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                                            • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpy$memset
                                                                                                                                                                            • String ID: -journal$-wal
                                                                                                                                                                            • API String ID: 438689982-2894717839
                                                                                                                                                                            • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                            • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                            • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                            • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                            Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4218492932-0
                                                                                                                                                                            • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                            • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                            • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                            Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                                            • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpy$memset
                                                                                                                                                                            • String ID: gj
                                                                                                                                                                            • API String ID: 438689982-4203073231
                                                                                                                                                                            • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                            • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                            • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                            Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                            • String ID: 0$6
                                                                                                                                                                            • API String ID: 2029023288-3849865405
                                                                                                                                                                            • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                            • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                            • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                            • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                            Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                            • memset.MSVCRT ref: 00405455
                                                                                                                                                                            • memset.MSVCRT ref: 0040546C
                                                                                                                                                                            • memset.MSVCRT ref: 00405483
                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                            • String ID: 6$\
                                                                                                                                                                            • API String ID: 404372293-1284684873
                                                                                                                                                                            • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                            • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                            • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                            • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                            Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                            • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                            • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1331804452-0
                                                                                                                                                                            • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                            • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                            Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                            • String ID: advapi32.dll
                                                                                                                                                                            • API String ID: 2012295524-4050573280
                                                                                                                                                                            • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                            • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                            • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                            Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                            • <%s>, xrefs: 004100A6
                                                                                                                                                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$_snwprintf
                                                                                                                                                                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                            • API String ID: 3473751417-2880344631
                                                                                                                                                                            • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                            • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                            Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                            • String ID: %2.2X
                                                                                                                                                                            • API String ID: 2521778956-791839006
                                                                                                                                                                            • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                            • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                            • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                            • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                            Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _snwprintfwcscpy
                                                                                                                                                                            • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                            • API String ID: 999028693-502967061
                                                                                                                                                                            • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                            • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                            • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                            • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                            Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                              • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                              • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                                            • memset.MSVCRT ref: 0040C439
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                            • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                            • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4131475296-0
                                                                                                                                                                            • Opcode ID: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                                                                                                            • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                            • Opcode Fuzzy Hash: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                                                                                                            • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                            Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 004116FF
                                                                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                              • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                            • API String ID: 2618321458-3614832568
                                                                                                                                                                            • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                            • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                            • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                            • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                            Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFilefreememset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2507021081-0
                                                                                                                                                                            • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                                            • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                            • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                                            • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                            Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                            • malloc.MSVCRT ref: 00417524
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                            • free.MSVCRT ref: 00417544
                                                                                                                                                                            • free.MSVCRT ref: 00417562
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4131324427-0
                                                                                                                                                                            • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                                            • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                                            • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                            Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                                            • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                                            • free.MSVCRT ref: 0041822B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PathTemp$free
                                                                                                                                                                            • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                            • API String ID: 924794160-1420421710
                                                                                                                                                                            • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                            • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                            • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                            • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                            Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                            • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                            • String ID: General
                                                                                                                                                                            • API String ID: 999786162-26480598
                                                                                                                                                                            • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                            • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                            • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                            • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                            Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                            • String ID: Error$Error %d: %s
                                                                                                                                                                            • API String ID: 313946961-1552265934
                                                                                                                                                                            • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                            • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                            • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                            • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                            Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                            • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpy
                                                                                                                                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                            • API String ID: 3510742995-272990098
                                                                                                                                                                            • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                            • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                            • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                            • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                            Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                            • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpymemset
                                                                                                                                                                            • String ID: gj
                                                                                                                                                                            • API String ID: 1297977491-4203073231
                                                                                                                                                                            • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                            • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                            • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                            • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                            Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                            • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                            • free.MSVCRT ref: 004174E4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4053608372-0
                                                                                                                                                                            • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                                            • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                            • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                                            • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                            Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4247780290-0
                                                                                                                                                                            • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                            • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                            • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                            Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                            • memset.MSVCRT ref: 004450CD
                                                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                              • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1471605966-0
                                                                                                                                                                            • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                            • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                            • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                            • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                            Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                            • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                            • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                            • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                              • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                                                                              • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                            • String ID: \StringFileInfo\
                                                                                                                                                                            • API String ID: 102104167-2245444037
                                                                                                                                                                            • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                            • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                            • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                            • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                            Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 004100FB
                                                                                                                                                                            • memset.MSVCRT ref: 00410112
                                                                                                                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                            • String ID: </%s>
                                                                                                                                                                            • API String ID: 3400436232-259020660
                                                                                                                                                                            • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                            • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                            Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                            • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                            • String ID: caption
                                                                                                                                                                            • API String ID: 1523050162-4135340389
                                                                                                                                                                            • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                            • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                            • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                            • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                            Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                              • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                            • String ID: MS Sans Serif
                                                                                                                                                                            • API String ID: 210187428-168460110
                                                                                                                                                                            • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                            • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                            • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                            Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040560C
                                                                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                              • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                            • String ID: *.*$dat$wand.dat
                                                                                                                                                                            • API String ID: 2618321458-1828844352
                                                                                                                                                                            • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                            • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                            • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                            • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                            Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 00412057
                                                                                                                                                                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                            • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3550944819-0
                                                                                                                                                                            • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                            • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                            Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • free.MSVCRT ref: 0040F561
                                                                                                                                                                            • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                                            • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpy$free
                                                                                                                                                                            • String ID: g4@
                                                                                                                                                                            • API String ID: 2888793982-2133833424
                                                                                                                                                                            • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                                            • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                            • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                                            • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                            Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 004144E7
                                                                                                                                                                              • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                              • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                            • memset.MSVCRT ref: 0041451A
                                                                                                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1127616056-0
                                                                                                                                                                            • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                            • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                            • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                            • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                            Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                            • malloc.MSVCRT ref: 00417459
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                                                                                                                                            • free.MSVCRT ref: 0041747F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2605342592-0
                                                                                                                                                                            • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                                            • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                            • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                                            • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                            Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                            • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                            • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2678498856-0
                                                                                                                                                                            • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                            • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                            • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                            • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                            Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040F673
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                            • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2754987064-0
                                                                                                                                                                            • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                            • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                            Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                            • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2754987064-0
                                                                                                                                                                            • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                            • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                            • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                            • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                            Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                              • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                              • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                            • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                            • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 764393265-0
                                                                                                                                                                            • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                            • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                            • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                            • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                            Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 979780441-0
                                                                                                                                                                            • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                            • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                            • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                            • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                            Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                                            • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                            • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1386444988-0
                                                                                                                                                                            • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                            • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                            • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                            • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                            Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                            • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                              • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                              • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: wcschr$memcpywcslen
                                                                                                                                                                            • String ID: "
                                                                                                                                                                            • API String ID: 1983396471-123907689
                                                                                                                                                                            • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                            • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                            • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                            • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                            Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _snwprintfmemcpy
                                                                                                                                                                            • String ID: %2.2X
                                                                                                                                                                            • API String ID: 2789212964-323797159
                                                                                                                                                                            • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                            • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                            • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                            • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                            Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • memset.MSVCRT ref: 0040E770
                                                                                                                                                                            • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSendmemset
                                                                                                                                                                            • String ID: F^@
                                                                                                                                                                            • API String ID: 568519121-3652327722
                                                                                                                                                                            • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                            • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                            • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                            • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                            Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                            • free.MSVCRT ref: 0040B201
                                                                                                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                            • free.MSVCRT ref: 0040B224
                                                                                                                                                                            • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 726966127-0
                                                                                                                                                                            • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                                            • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                            • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                                            • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                            Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                            • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                            • free.MSVCRT ref: 0040B12C
                                                                                                                                                                            • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3669619086-0
                                                                                                                                                                            • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                            • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                            Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                            • malloc.MSVCRT ref: 00417407
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                            • free.MSVCRT ref: 00417425
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000013.00000002.2052805127.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_19_2_400000_RNJBFdvJTXAE.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2605342592-0
                                                                                                                                                                            • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                                            • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                            • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                                            • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5